nobody at xyzzy
Mar 28, 2008, 1:44 PM
Post #28 of 47
(7542 views)
Permalink
|
Julian Mehnle wrote:
> I think we should make decisions in this order. The RFC 4408 test
> suite depends solely on how we interpret RFC 4408 as it is now.
Yes, and as I never tried to implement my interpretation it's only
that, an interpretation, not running code.
I'd disagree with the point where you say that RFC 4408 considered
adjacent dots and overlong labels as valid <target-name>, I think
it simply forgot to discuss invalid <target-name>s apart from the
2.5.7 note.
IOW we screwed up, fortunately only in a totally obscure corner
case mostly relevant for test suites and errata. Maybe it could
be a vulnerability if spammers find servers where they like an
intentionally provoked Permerror better than no match, or v.v.,
depending on the receiver policy.
> Any RFC 4408 errata should then amend the RFC to clarify what it
> already says (albeit contradictorily or otherwise ambiguously).
Yep, additional 2.5.7 clarification for PermError, or stripping
the questionable statement for "no match" are good. I'm less
thrilled by "clarification that implemenations are free to pick
either PermError or no match, certainly not TempError", but it's
also possible.
Based on that, one thing is sure, just removing the section from
the errata page as "rejected" is out, whatever we pick, it needs
some text.
I think I can come up with a proposal for the three choices:
PermError => add note that this is about a syntactically invalid
<target-name> for DNS, for example adjacent dots.
No match => say that the 2.5.7 statement was wrong and should
be ignored, reflecting common "no match" practice.
Pick => say that some implementations skip a syntactically
invalid DNS <target-name>, e.g., adjacent dots.
> In any case, RFC 4408 errata are not supposed to modify the
> (originally intended) semantics of RFC 4408.
I fear we simply forgot to think about this corner case, and so
"originally intended semantics" equals a blind spot in our pre-
4408 reviews.
> Let's face it, PermError is far from clearly defined per RFC
> 4408.
Yeah, things can get tricky if many receivers decide to accept
PermError. In that case the spammers have to "educate" them ;-)
After that education, if PermError for legit mail simply means
"fix your policy", it's IMO fine. Admittedly the plan was to
limit it to "fix the policy because it's syntactically broken".
"Fix your policy" covering invalid <target-name> is still KISS.
> You may recall me having fought long and hard for making
> SPF(NXDOMAIN) to be considered a case of PermError.
Yes, but your concept was not simply "fix your policy", or was
it ? At that time we also had discussions about rejecting a
PermError at all, until we finally decided that it is receiver
policy.
> Now I think we ought to stick to that school of thought and
> treat "broken" <target-name>s as no-match, too.
I don't insist on it, I take the easy way out: Whatever the
test suite decides, and I'm aware that it already decided it,
but you could still change your mind, I have an idea what to
do with the "last erratum" as noted above. For TempError I'd
have no idea, but we have consensus that TempError is out.
> given a policy using %{h}, why should "HELO whacky..spammer"
> result in "PermError" when "HELO whacky.spammer" results in
> "Fail" or "SoftFail"?
Or "Neutral". The best decision depends on what you consider
as the possible *future* best common practice for receivers:
A rejected PermError is better than an accepted Neutral, and
a rejected Fail is better than an accepted PermError. As you
know I like SPF FAIL and hope that more domains will use it.
It is okay if you decide that "no match" does the trick.
We were not wasting time, until today I didn't have it clear
that a consistent erratum or clarification for 2.5.7 matching
any decision in the test suite is possible and required.
> for the "mech:<more-than-63-chars>.com" case, I could be
> convinced that this is a separate issue from the macro
> expansion one
Different, you could find it without instantiating macros.
> since it clearly is NOT a syntax error per RFC 4408, it
> would still be hard to justify a PermError result.
In the sense of "fix your policy" that is not hard, and it
is clearly an invalid label. Either a typo or a malicious
policy attacking the time resources of folks discussing
SPF test suites and errata, or another seriously bad idea.
I don't see how this case could ever result in an erratum.
Better decide the <target-name> handling first ignoring
this. After that decision it's easier, e.g. it could make
sense to pick the same solution for KISS and consistency,
it could also make sense to allow PermError or "no match"
for the overlong label.
Frank
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
|
