Mailing List Archive

Stuart D. Gathman wrote:

> by the principle of least surprise, "a:%{h}" where h="museum."
> or h="museum" (or anything else that would give a syntax error
> if syntax was checked after expansion) should not match.

It's an idea. I've changed "isn't allowed" to "should not match"
in the "<target-name> is a TLD" section.

> If we had it to do over again, we would even throw permerror
> (it would have been so simple to say "expand macros before
> checking syntax"), but we can't for reasons that have already
> been discussed.

Do you think the "permerror on invalid domain" issue should be
deleted ? I think it's related to the case where <target-name>
contains adjacent dots. Maybe the two wannabe-errata could be
joined:

| If the <target-name> after macro exapnsion is a single label
| (e.g. a top level domain ) with or without trailing dot, or
| an invalid domain (e.g. strings with adjecent dots), then the
| corresponding mechanism does not match.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Tue, Mar 27, 2007 at 08:51:02PM +0200, Frank Ellermann wrote:

> | If the <target-name> after macro exapnsion is a single label
> | (e.g. a top level domain ) with or without trailing dot, or
> | an invalid domain (e.g. strings with adjecent dots), then the
> | corresponding mechanism does not match.

This is weird. We're writing an add-on for email, not for RFC2821.
A domain is a domain. There's nothing special about a TLD, except
that it is not allowed to be all numeric. Please see the relevant
RFC, first listed normative reference in RFC4408.

According to STD1, SMTP is defined by STD10, currently RFC821.
2821 is a proposed standard only, and is currently under debate.

What if the RFC2821bis people suddenly change their mind and do
allow "user@ws" ?

The possible outcome:
(where I write 2821bis, I do mean 2821bis or an successor).
a) 2821, nor 2821bis, makes it. 821 allows TLD domains.
b) 2821bis makes it, but modified, not banning TLD domains.
c) 2821bis makes it, including banning TLD domains.

Should SPF be corrected to conform with STD13 (RFC103[45]) then
all three cases are covered (outcome c is not to be fed to SPF,
but would work nevertheless if it does reach SPF).

Should SPF not be corrected, then two out of three will mean
SPF is incompatible with the official internet protocol standard.


DNS caching should take care of "myhome" type of names. True, SPF
would do another query but a nearby cache will answer it after
this was cached when the SMTP server tried to verify this name
(HELO myhome) or this maildomain (MAIL FROM:<user@myhome>).

Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Alex van den Bogaerdt wrote:

>>| If the <target-name> after macro exapnsion is a single label
>>| (e.g. a top level domain ) with or without trailing dot, or
>>| an invalid domain (e.g. strings with adjecent dots), then the
>>| corresponding mechanism does not match.

> This is weird.

Weird or not, it's consistent with <domain-spec>. And we can't
change <domain-spec> _again_, the last AUTH48 mutilation was bad
enough. I begin to hope that this change didn't break older SPF
implementations, AFAIK nobody reported problems with SPF policies
using the optional trailing dot in <domain-spec> so far.

> We're writing an add-on for email, not for RFC2821.

The issue isn't about mail, it's about syntactically good policies
where <target-name> results after macro expansion into something
that's an SPF syntax error if used directly in a <domain-spec>
without macros.

Mechanisms like "a:foo" or "mx:bar." are SPF syntax errors. And
"a:foo..bar" (adjacent dots) is no syntax error as far as the ABNF
is concerned.

In other words a:foo..bar gets no PermError, but e.g. a:localhost
or mx:museum are PermErrors.

After macro expansion of say a:%{h} or mx:%{L} the <target-name>
can have the same forms, foo..bar, museum, oemcomputer, etc. And
clearly museum is no "invalid domain", and oemcomputer also isn't
an "invalid domain" (it's just no registered ICANN TLD (yet)).

OTOH foo..bar is clearly crap, you don't get NXDOMAIN. I guess
we're not interested to revisit <domain-spec>, that gives us:

"domain" | as <domain-spec> | as <target-name> | 2821 | 821
------------+------------------+------------------+------+----
foo | PERMERROR | possible FQDN | bad | ok.
bar. | PERMERROR | possible FQDN | bad | bad
museum | PERMERROR | possible FQDN | bad | ok.
oemcomputer | PERMERROR | possible FQDN | bad | ok.
localhost | PERMERROR | possible FQDN | bad | ok.
foo..bar | no syntax error | impossible FQDN | bad | bad

The (2)821 columns are only for comparison. Not modifying the
<domain-spec> means that the PERMERRORs stay PERMERRORs, and
a direct foo..bar doesn't trigger a syntax error.

After that decision all SPF implementations can still face the
corresponding <target-name>s either after expanding macros, or
because <domain-spec> foo..bar wasn't caught as an ABNF error.

SPF implementations have to do something at this point in the
evaluation. For the single labels they could just ask DNS, and
in rare cases like museum they might even get an answer that's
not NXDOMAIN.

For foo..bar they can't query DNS because that's no domain. To
get predictable results with different implementations we have
to say what's the "correct" behaviour in these cases:

Apparently folks like to ignore foo..bar, the mechanism simply
doesn't match, and move on (next directive).

Apparently folks don't like to query DNS for single labels as
<target-name>, and wish to ignore them just like foo..bar.

It's IMO a plausible choice, maybe not nice for single labels,
but being nice to TLDs operated as host was obviously never an
SPF goal, otherwise <domain-spec> wouldn't insist on "the dot"
or PERMERROR.

> Please see the relevant RFC, first listed normative reference
> in RFC4408.

If you think that <domain-spec> should be changed to allow TLDs
please post a proposal how that's supposed to work in the ABNF.

IIRC the last (2004) attempts in this direction caused an ABNF
ambiguity identified on the MARID list by an expert:
<http://article.gmane.org/gmane.ietf.mxcomp/2846>

> What if the RFC2821bis people suddenly change their mind and
> do allow "user@ws" ?

Won't change <domain-spec> in RFC 4408, unless we say so in an
erratum or 4408bis. And I don't intend to "fix" <domain-spec>,
but if you have an idea that works with yacc, bison or similar,
let's see.

The <target-name> foo..bar issue is not necessarily related to
the single label issues, even with an improved <domain-spec>
we'd still have to address <target-name> foo..bar separately -
at least I see now again why there was an old separate erratum:

I'll add the "rationale" (= example foo..bar) to the Web page
later, explaining that this can happen directly and also after
macro expansion... <sigh />

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Wed, 28 Mar 2007 17:17:00 +0200 Frank Ellermann
<nobody@xyzzy.claranet.de> wrote:
>Alex van den Bogaerdt wrote:
>
>>>| If the <target-name> after macro exapnsion is a single label
>>>| (e.g. a top level domain ) with or without trailing dot, or
>>>| an invalid domain (e.g. strings with adjecent dots), then the
>>>| corresponding mechanism does not match.
>
>> This is weird.
>
>Weird or not, it's consistent with <domain-spec>. And we can't
>change <domain-spec> _again_, the last AUTH48 mutilation was bad
>enough. I begin to hope that this change didn't break older SPF
>implementations, AFAIK nobody reported problems with SPF policies
>using the optional trailing dot in <domain-spec> so far.
>
Not all implementations support the trailing dot. Libspf is at least one
that does not.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Scott Kitterman wrote:

> Not all implementations support the trailing dot. Libspf
> is at least one that does not.

We could add a rule to an informative "lessons learned" RFC:

"Never try to outsmart RFCs 2822 and (2)821 in AUTH48" :-)

Probably libspf has more important problems with RFC 4408,
I vaguely recall that it never supported Wayne's concepts
of predictable error handling and clear processing limits.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Wed, 28 Mar 2007 19:11:19 +0200 Frank Ellermann
<nobody@xyzzy.claranet.de> wrote:
>Scott Kitterman wrote:
>
>> Not all implementations support the trailing dot. Libspf
>> is at least one that does not.
>
>We could add a rule to an informative "lessons learned" RFC:
>
>"Never try to outsmart RFCs 2822 and (2)821 in AUTH48" :-)
>
>Probably libspf has more important problems with RFC 4408,
>I vaguely recall that it never supported Wayne's concepts
>of predictable error handling and clear processing limits.
>
This is correct. Additionally, it's completely unmaintained AFAICT.

I don't recommend people use libspf, but it is the only SPF library used by
a number of applications and migration to a more modern one is non-trivial.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735