Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
"Last Call" pending exp= (empty) erratum
nobody at xyzzy
May 13, 2007, 6:02 AM
Post #1 of 9 (6758 views)
Permalink
Hi,

we got three pending errata on <http://www.openspf.org/RFC_4408/Errata>.

One of those pending errata is actually simple, it's about an "empty"
exp= modifier. We have it clear that exp= is in fact an exp-modifier,
not an unknown modifier, see (5c) "greedy unnown" in the minutes:

<http://www.openspf.org/Council_Meeting/2007-04-21>
<http://www.openspf.org/RFC_4408/Errata#greedy-unknown>

So now we've to decide what to do with it, three possible solutions
are listed: <http://www.openspf.org/RFC_4408/Errata#empty-exp>.

(1) The grammar for exp should be:
| explanation = "exp" "=" [ domain-spec ]

(2) Section 6.2/4 should be changed to say:
| If there are any DNS processing errors (any RCODE other than 0), or
| if no records are returned, or if more than one record is returned,
| or if there are syntax errors in the explanation string, then
| proceed as if no exp modifier was given.

(3)
| In section 6.2/4 replace <domain-spec> by <target-name>.

====================================================================
(1) is KISS, and generally I like KISS. But I'm not convinced that
it's what the spec. really wanted. It would allow policies like
"v=spf1 a -all exp=" with the same meaning as "v=spf1 a -all".

The empty exp= would have no effect, especially it would not disable
any default explanation provided by the checker. IMO if a syntax
construct has no effect at all (also not the only plausible effect),
then it's an obscure error on the side of the publisher.

====================================================================
(2) and (3) are very similar, both would flag exp= as syntax error.

The relevant paragraphs 6.2/3 and 6.2/4 in RFC 4408 about exp are:

| The <domain-spec> is macro expanded (see Section 8) and becomes the
| <target-name>. The DNS TXT record for the <target-name> is fetched.
|
| If <domain-spec> is empty, or there are any DNS processing errors
| (any RCODE other than 0), or if no records are returned, or if more
| than one record is returned, or if there are syntax errors in the
| explanation string, then proceed as if no exp modifier was given.

Solution (2) simply removes "<domain-spec> is empty, or" from the
picture, keeping the rest as is.

Solution (3) additionally keeps odd cases with an empty <target-name>
(after macro-expansion) as is, e.g. exp=%h could result in an empty
<target name> for an empty or missing HELO. In all cases the effect
of (2) and (3) is the same.

====================================================================
Before the Council starts its odd "toss a coin" ritual also known as
"Council meeting" - the Internet at large will survive any possible
outcome about this erratum - do you have an opinion as input ?

The proponents for this erratum can't directly recuse themselves as
long as Scott and Stuart alone have no quorum. Maybe the Council
could disable that rule exceptionally, but if then Scott and Stuart
don't pick the same solution we'd be in a procedural mess. This
problem isn't interesting enough for a "community vote", or is it ?

Frank


-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
scott at kitterman
May 23, 2007, 6:50 AM
Post #2 of 9 (6613 views)
Permalink
On Sunday 13 May 2007 09:02, Frank Ellermann wrote:
> Hi,
>
> we got three pending errata on <http://www.openspf.org/RFC_4408/Errata>.
>
> One of those pending errata is actually simple, it's about an "empty"
> exp= modifier. We have it clear that exp= is in fact an exp-modifier,
> not an unknown modifier, see (5c) "greedy unnown" in the minutes:
>
> <http://www.openspf.org/Council_Meeting/2007-04-21>
> <http://www.openspf.org/RFC_4408/Errata#greedy-unknown>
>
> So now we've to decide what to do with it, three possible solutions
> are listed: <http://www.openspf.org/RFC_4408/Errata#empty-exp>.
>
> (1) The grammar for exp should be:
> | explanation = "exp" "=" [ domain-spec ]
>
> (2) Section 6.2/4 should be changed to say:
> | If there are any DNS processing errors (any RCODE other than 0), or
> | if no records are returned, or if more than one record is returned,
> | or if there are syntax errors in the explanation string, then
> | proceed as if no exp modifier was given.
>
> (3)
>
> | In section 6.2/4 replace <domain-spec> by <target-name>.
>
> ====================================================================
> (1) is KISS, and generally I like KISS. But I'm not convinced that
> it's what the spec. really wanted. It would allow policies like
> "v=spf1 a -all exp=" with the same meaning as "v=spf1 a -all".
>
> The empty exp= would have no effect, especially it would not disable
> any default explanation provided by the checker. IMO if a syntax
> construct has no effect at all (also not the only plausible effect),
> then it's an obscure error on the side of the publisher.
>
> ====================================================================
> (2) and (3) are very similar, both would flag exp= as syntax error.
>
> The relevant paragraphs 6.2/3 and 6.2/4 in RFC 4408 about exp are:
> | The <domain-spec> is macro expanded (see Section 8) and becomes the
> | <target-name>. The DNS TXT record for the <target-name> is fetched.
> |
> | If <domain-spec> is empty, or there are any DNS processing errors
> | (any RCODE other than 0), or if no records are returned, or if more
> | than one record is returned, or if there are syntax errors in the
> | explanation string, then proceed as if no exp modifier was given.
>
> Solution (2) simply removes "<domain-spec> is empty, or" from the
> picture, keeping the rest as is.
>
> Solution (3) additionally keeps odd cases with an empty <target-name>
> (after macro-expansion) as is, e.g. exp=%h could result in an empty
> <target name> for an empty or missing HELO. In all cases the effect
> of (2) and (3) is the same.
>
> ====================================================================
> Before the Council starts its odd "toss a coin" ritual also known as
> "Council meeting" - the Internet at large will survive any possible
> outcome about this erratum - do you have an opinion as input ?
>
> The proponents for this erratum can't directly recuse themselves as
> long as Scott and Stuart alone have no quorum. Maybe the Council
> could disable that rule exceptionally, but if then Scott and Stuart
> don't pick the same solution we'd be in a procedural mess. This
> problem isn't interesting enough for a "community vote", or is it ?
>
I don't think we need a community vote for this.

I like option 2 because I don't like the idea that messing up the explanation
causes SPF errors. The exp modifier is about why something happened and
shouldn't change what happens.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
stuart at bmsi
May 23, 2007, 1:36 PM
Post #3 of 9 (6606 views)
Permalink
On Wed, 23 May 2007, Scott Kitterman wrote:

> I like option 2 because I don't like the idea that messing up the explanation
> causes SPF errors. The exp modifier is about why something happened and
> shouldn't change what happens.

I think you meant option 1.

I think they could be reworded as follows:
Option 1 never gives permerror for empty exp.
Option 2 gives permerror for both implicit and explicit empty exp
Option 3 gives permerror for explicit empty exp ("exp="), but not
for implicit empty exp (as a result of macro expansion, e.g. "exp=%h")

I favor option 1, for the same reason as Scott. I could live with Option 3:
"Ok, someone clearly screwed up with an explicit exp=, but don't let screwy HELO
cause an SPF permerror on an otherwise syntactically valid record."

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
scott at kitterman
May 23, 2007, 1:50 PM
Post #4 of 9 (6617 views)
Permalink
On Wednesday 23 May 2007 16:36, Stuart D. Gathman wrote:
> On Wed, 23 May 2007, Scott Kitterman wrote:
> > I like option 2 because I don't like the idea that messing up the
> > explanation causes SPF errors. The exp modifier is about why something
> > happened and shouldn't change what happens.
>
> I think you meant option 1.
>
> I think they could be reworded as follows:
> Option 1 never gives permerror for empty exp.
> Option 2 gives permerror for both implicit and explicit empty exp
> Option 3 gives permerror for explicit empty exp ("exp="), but not
> for implicit empty exp (as a result of macro expansion, e.g. "exp=%h")
>
> I favor option 1, for the same reason as Scott. I could live with Option
> 3: "Ok, someone clearly screwed up with an explicit exp=, but don't let
> screwy HELO cause an SPF permerror on an otherwise syntactically valid
> record."

No. I meant #2.

> | or if there are syntax errors in the explanation string, then
> | proceed as if no exp modifier was given.

So a bad exp is a bad exp, but it doesn't raise an error, you just ignore the
exp.

Unless I misunderstood what Frank was after.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
gerberb at zenez
May 23, 2007, 3:35 PM
Post #5 of 9 (6617 views)
Permalink
On Wed, 23 May 2007, Stuart D. Gathman wrote:
> On Wed, 23 May 2007, Scott Kitterman wrote:
>
> > I like option 2 because I don't like the idea that messing up the explanation
> > causes SPF errors. The exp modifier is about why something happened and
> > shouldn't change what happens.
>
> I think you meant option 1.
>
> I think they could be reworded as follows:
> Option 1 never gives permerror for empty exp.
> Option 2 gives permerror for both implicit and explicit empty exp
> Option 3 gives permerror for explicit empty exp ("exp="), but not
> for implicit empty exp (as a result of macro expansion, e.g. "exp=%h")
>
> I favor option 1, for the same reason as Scott. I could live with Option 3:
> "Ok, someone clearly screwed up with an explicit exp=, but don't let screwy HELO
> cause an SPF permerror on an otherwise syntactically valid record."

+1 I prefer option 1

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
stuart at bmsi
May 23, 2007, 3:50 PM
Post #6 of 9 (6617 views)
Permalink
On Wed, 23 May 2007, Scott Kitterman wrote:

> > | or if there are syntax errors in the explanation string, then
> > | proceed as if no exp modifier was given.
>
> So a bad exp is a bad exp, but it doesn't raise an error, you just ignore the
> exp.

> Unless I misunderstood what Frank was after.

You misunderstood.

"syntax errors in the explanation string" means *after* fetching it from
the domain. E.g.

example.com IN TXT "v=spf1 exp=foo.example.com -all"
foo.example.com IN TXT "%{q}"

'q' is not a valid macro letter, so the explanation string has a syntax
error and should be ignored (by all three options).

However,
example2.com IN TXT "v=spf1 exp= -all"

option 1 ignored (ignore empty domain spec)
option 2 permerror (doesn't match domain-spec)
option 3 permerror (doesn't match domain-spec)

and
example3.com IN TXT "v=spf1 exp=%h -all"
HELO ''

option 1 ignored (target-name is not a valid domain name)
option 2 ignored (target-name is not a valid domain name)
option 2 ignored (target-name is empty)

Options 2 and 3 should have the same result, but differ in whether
empty target-name is explicitly ignored.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
scott at kitterman
May 23, 2007, 6:16 PM
Post #7 of 9 (6618 views)
Permalink
On Wednesday 23 May 2007 18:50, Stuart D. Gathman wrote:

> You misunderstood.

Then I need to go think it through some more. I recall thinking it was to
good to be true, I guess I was at least right about that.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
nobody at xyzzy
Nov 15, 2007, 2:43 AM
Post #8 of 9 (6269 views)
Permalink
Boyd Lynn Gerber wrote six months ago:

[Stuart:]
>> I think they could be reworded as follows:
>> Option 1 never gives permerror for empty exp.
>> Option 2 gives permerror for both implicit and explicit empty exp
>> Option 3 gives permerror for explicit empty exp ("exp="), but not
>> for implicit empty exp (as a result of macro expansion, e.g.
>> "exp=%h")

Good summary.

>> I favor option 1, for the same reason as Scott. I could live with
>> Option 3: "Ok, someone clearly screwed up with an explicit exp=,
>> but don't let screwy HELO cause an SPF permerror on an otherwise
>> syntactically valid record."

> +1 I prefer option 1

Scott said 2, Julian proposed 2, I proposed 3. When the result of a
question is no clear "no" or "rough" consensus the question was wrong,
paraphrasing ASCII-art posted by Brian on the IETF general list... ;-)

We need more facts, example policy: "v=spf1 a:%{l}.example.org -all"
MAIL FROM "quote...me"@example.org

What's the <target-name> for this beast ? Does the test suite already
cover something in the direction of quoted strings (+/- quote pairs)
in the local part ?

Frank

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
nobody at xyzzy
Nov 22, 2007, 1:07 AM
Post #9 of 9 (6261 views)
Permalink
Update: Option 1 is out, "running code" reports PERMERROR.

Looking again at it I think options 2 and 3 are equivalent,
both would report FAIL if the exp= <target-name> is empty
or otherwise unusable. Option 2 is shorter (not talking
about empty <domain-name> at all), option 3 is a smaller
diff from 4408 (replacing <domain-name> by <target-name>).

How about picking the "shorter" option and be done with it ?

Frank

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal