apache at bago
Jun 18, 2007, 1:10 AM
Post #27 of 41
Julian Mehnle ha scritto:
Re: Re: Problems with spf testsuite and dns specification
[In reply to]
> Stefano Bagnara wrote:
>> As Julien already told, rfc2181 does IMO apply also to stup
>> implementations of a DNS resolver.
> Let me phrase it like this: from the DNS RFCs' PoV, there is no live DNS or
> emulated DNS -- there's just DNS. Anyone who claims to implement DNS must
> adhere to the same set of DNS RFCs.
Right. Sorry for my bad english reporting your opinion..
>> Again, IMO the problem with the specification is that it requires a
>> behaviour that is unknown when you publish the duplicated records.
> Well, the _real_ solution is for domain owners to NOT publish multiple
> identical records. Then the problem won't occur in the first place.
> Consequently, this is exactly what the test suite should do, or rather, not
> do. I.e., it should not "publish" multiple identical records in the test
> case that is actually supposed to test for RFC 4408 4.5/6.
IMHO this is the minimum required change on SPF side. Right now the
testsuite does not take care of the DNS suggestion to compact identical
records and so the multispf* tests may fail even with a compliant
implementation (jSPF case). Switching to multiple different records will
keep testing the intent of RFC4408 4.5/6 without the assumption that the
DNS implementation is not following the "SHOULD compact" suggestion.
>> It does not make sense at all: if you are simply telling that what is
>> wrote in the 4408 is like something said by God and cannot be wrong,
>> then ok, we can skip this discussion at all, otherwise it should be
>> considered that the rfc4408 may be inappropriate about this
> RFC 4408 is not beyond criticism, however we cannot change it retroactively
> and expect all the existing "v=spf1" implementations to follow suit (in
> this case, they would have to newly implement recognition of multiple
> identical RRs).
It is not important at all if they apply or not apply the rule when they
receive multiple identical records: we already have unpredictable result
and the unpredictable result will remain. Unfortunately the testsuite
enforced a bad practice, IMO.
Maybe a better errata could be to specify "In case of multiple identical
records an implementation can either return PermError or parse the
record (see rfc2181 par 5): publishers SHOULD NOT publish multiple
records at all if they want predictable result".
I'm also curious to see how many of the current compliant
implementations do compact the results in the "live" environment: we
already know that there is a high probability that a dns cache/server in
the chain will compact them (bind based servers do that) and we also
know that some client library do the same. Dnsjava does this for sure,
and if I understood it also the standard C libresolve, based on bind
code, does the same: it would be interesting to check what libspf,
libspf2, pyspf, Mail-SPF do "for real".
Maybe the case of current implementations is already really different
from what you/we thought.
> "v=spf1" is carved in stone. We have fought hard in the past to protect
> its integrity. Of all the imaginable issues, this one certainly doesn't
> warrant an exception.
I think that at least an errata to warn people that multiple identical
records could be compacted by the underlying DNS transport and may lead
to unpredictable results (sometime PermError, sometimes elaborated)
would already help other implementors and publisher understanding the
I think the empty/explanation issues already created similar problems in
compliant implementations: fortunately this is all about parsing
"weird/wrong" records, so to change the required behaviour will only
affect results for not-diligent publishers that published something weird.
>> The intent of rfc2181 is to have multiple identical records to behave as
>> a single record. If you implement a specification on top of DNS you
>> cannot change the intents of the underlying transport and so IMO
>> considering multiple identical RRs as a single one is perfectly VALID
>> for rfc4408 because it is built on top of rfc2181 and we simply SHOULD
>> do that.
> Demanding that a DNS _application_ such as SPF combine multiple identical
> RRs into a single RR would be highly unusual. Show me any other DNS app-
> lication that specifies this.
IMHO the problem is not "to compact or not to compact". The problem is
requiring a PermError (a specific different action) on something that
the DNS spec tell us is not different from a single record.
To use your "question": show me any other DNS application that specifies
a different behaviour on multiple identical RRs ;-)
To unsubscribe, change your address, or temporarily deactivate your
please go to http://v2.listbox.com/member/?member_id=1311533&user_secret=456ecacd
Powered by Listbox: http://www.listbox.com