Mailing List Archive: SPF: Discuss

Why are so many DNS requests necessary at all?

Index | Next | Previous | View Threaded

rg at mdpd

Mar 31, 2005, 2:44 PM

Post #1 of 19 (1462 views)
Permalink

Why are so many DNS requests necessary at all?

I hope I'm not speaking out-of-turn and I do realize that a lot of effort has been expended on this project thus far...

But, since I am not so familiar with this problem and I believe I may be able to provide a fresh perspective... Here is my question on the DNS topic:

Why are so many DNS requests necessary at all?

It seems to me that any system that needs IP verification via DNS should do so for only the one IP that it needs to verify. Simplified: reverse the verification role and have the DNS (server) zone verify the requested IP and then reply with a pass or fail type token (or it can return the IP itself or no IP if that IP fails.)

This approach seems more efficient and certainly more secure (since no information more than that which is already known is revealed.)

If I am not seeing the big picture, someone please direct me to that picture (or link.) Again, I am not well versed on this problem I hope that has been made clear but I do wish to help it along (if at all possible.)

Thanks,

-Rudy Gomez

-JUST SAY NO TO SPAM!
--

___________________________________________________________
Sign-up for Ads Free at Mail.com
http://mail01.mail.com/scripts/payment/adtracking.cgi?bannercode=adsfreejump01"]http://www.mail.com/?sr=signup

Sender Policy Framework: http://spf.pobox.com/"]http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/"]http://archives.listbox.com/spf-discuss/current/ Read the whitepaper! http://spf.pobox.com/whitepaper.pdf"]http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

terry at ashtonwoodshomes

Mar 31, 2005, 3:11 PM

Post #2 of 19 (1456 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

You are assuming that one is validating the IP that the connecting MTA
(sender) is connecting to your (receiver) mail server with. You are
not. Or you are not JUST doing that.

What you are actually validating is that the Domain name in the
MAIL-FROM is allowing their emails to originate from the IP that the MTA
(sender) is connecting to your (receiver) mail server with.

(You may also/instead be validating the mail servers HELO/EHLO name, but
that is a trivial distinction in this context, its still a foreign
domain name being validated against the foreign IP)

rg [at] mdpd wrote:

> I hope I'm not speaking out-of-turn and I do realize that a lot of
> effort has been expended on this project thus far...
>
> But, since I am not so familiar with this problem and I believe I may
> be able to provide a fresh perspective... Here is my question on the
> DNS topic:
>
>
>
> Why are so many DNS requests necessary at all?
>
Because many IP's could be originating email that are allowed to say it
is from a specific domain.

>
>
> It seems to me that any system that needs IP verification via DNS
> should do so for only the one IP that it needs to verify. Simplified:
> reverse the verification role and have the DNS (server) zone verify
> the requested IP and then reply with a pass or fail type token (or it
> can return the IP itself or no IP if that IP fails.)
>
That is a good idea. But it does not fit within DNS confines, because
there is not a 1-1 mapping of domain names to IP's. And because you
cannot currently (to my knowledge) ask a DNS server the type of question
I think you are proposing.

> This approach seems more efficient and certainly more secure (since no
> information more than that which is already known is revealed.)
>
It is more efficient if such a server system exists. I don't think it
does. Certainly not DNS; you ask for a resolution of a DNS name and a
record type and get a response. A given IP however could be authorized
to send email for MANY domains. By your method you need to ask the DNS
server "is this domain authorized for this IP?". But all you can ask is
"here is a domain, give me a record of type X". The result is usually
an IP (traditional type of DNS) it can be a boolean response (usually
faked in the form of a non routable IP) or some text string (TXT is what
SPF uses) etc.

But make no mistake the question "is this domain authorized for this
IP?" cannot be stated in the format "here is a domain, give me a record
of type X". Hence your question cannot be answered by a DNS query (or
at least not 1 DNS query).

> If I am not seeing the big picture, someone please direct me to that
> picture (or link.) Again, I am not well versed on this problem I hope
> that has been made clear but I do wish to help it along (if at all
> possible.)
>
I hope this clears it up for you.

Terry

>
>
> Thanks,
>
> -Rudy Gomez
>
> -JUST SAY NO TO SPAM!
>
>
> --
>
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://www.mail.com/?sr=signup
> <http://mail01.mail.com/scripts/payment/adtracking.cgi?bannercode=adsfreejump01>
>
> ------------------------------------------------------------------------
> Sender Policy Framework: http://spf.pobox.com/ Archives at
> http://archives.listbox.com/spf-discuss/current/ Read the whitepaper!
> http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your
> address, or temporarily deactivate your subscription, please go to
> http://v2.listbox.com/member/?listname=spf-discuss [at] v2

--
Terry Fielder
terry [at] greatgulfhomes
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

chris at harvington

Mar 31, 2005, 3:36 PM

Post #3 of 19 (1462 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

rg [at] mdpd asked:

>I hope I'm not speaking out-of-turn and I do realize that a lot of effort has
been expended >on this project thus far...
>But, since I am not so familiar with this problem and I believe I may be able
to provide a >fresh perspective... Here is my question on the DNS topic:
>
>Why are so many DNS requests necessary at all?
>
>
>
>It seems to me that any system that needs IP verification via DNS should do so
for only >the one IP that it needs to verify. Simplified: reverse the
verification role and have the >DNS (server) zone verify the requested IP and
then reply with a pass or fail type token
>(or it can return the IP itself or no IP if that IP fails.)
>This approach seems more efficient and certainly more secure (since no
information more >than that which is already known is revealed.)
>If I am not seeing the big picture, someone please direct me to that picture
(or link.) >Again, I am not well versed on this problem I hope that has been
made clear but I do wish >to help it along (if at all possible.)
>
>Thanks,
>-Rudy Gomez

Reasonable question.

The simplest answer - 'cause DNS does not hold the data we need.

The question being asked in SPF is 'is this IP address authorised to send mail
on behalf of this domain?'.

DNS, with MX, gives you a list of the hosts authorised to _receive_ mail, but
not to _send_ mail. Hence the need to (ab)use a DNS TXT field to list the
authorised senders.

In simple cases, that need only involve a single look-up. The multiple look-ups
usually arise if you have a Mail From domain who uses a different domain's
servers to send its mail. Almost all small/medium business and 'vanity' domains
are in this situation. They use an ISPs outbound mail servers. Now those ISPs
are not going to commit to using a stable set of servers for this (defined by
their numeric IP), so, for sensible change-control your small domain 'includes'
the ISP's record, which is then fetched at run-time by the receiver, so it is
known to be the current list used by the ISP.

There are several other situations like that which push up the number of lookups
needed.

This also shows that a single server (with a single numeric IP address) might be
used by hundreds or thousands of domains. Ihe ISP who owns the numeric address
has no idea which domains are (perfectly legally) going to use that server for
their outbound mail. I. for example, have 8 different domains that I can use. I
send all my outbound mail via one ISP, who only knows about 1 of those 8. So
the kind of lookup you suggest just does not work because of the need to cross
these admistrative boundaries.

Returning to the normal, SPF lookups... under normal.circumstances, these
look-ups are cached in the DNS system so, for example, if you receive hundreds
of mails from small businesses all using the same ISP, you would only need one
DNS lookup per message most of the time - the one in which the small business
would 'include' the record of the ISP. You would, most of the time, already have
that ISP's record in your local cache - so the situation is not as bad as you
might think.

What people are currently agonizing over, as I understand it, is whether 'bad
guys' can force there to be a huge number of look-ups - so many that they
overwhelm either a sender's or a receiver's DNS system.

I, personally, am not yet convinced that there has been a strong enough case
made to show that the current SPF1 system is inadequate or seriously 'at risk'
in this respect. Maybe I missed some convincing scenarios...

The last thing we should be doing is raising FUD about the current version
without _very strong_ reason.

I'd far rather see progress on getting the existing system written up and
published as an RFC.

Chris Haynes

p.s. Sorry - just taking the opportunity to vent my spleen at the end there.
Nothing to do with you, Rudy.

p.p.s BTW, it would be _much_ more convenient if you could post in plain text,
not HTML. Thanks

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

george+spf at m5p

Mar 31, 2005, 3:49 PM

Post #4 of 19 (1460 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

Chris Haynes wrote:

> What people are currently agonizing over, as I understand it, is whether 'bad
> guys' can force there to be a huge number of look-ups - so many that they
> overwhelm either a sender's or a receiver's DNS system.
>
> I, personally, am not yet convinced that there has been a strong enough case
> made to show that the current SPF1 system is inadequate or seriously 'at risk'
> in this respect. Maybe I missed some convincing scenarios...

Second. -- George Mitchell

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

terry at ashtonwoodshomes

Mar 31, 2005, 3:55 PM

Post #5 of 19 (1462 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

Chris Haynes wrote:

>rg [at] mdpd asked:
>
>
>
>
<snip>

>I, personally, am not yet convinced that there has been a strong enough case
>made to show that the current SPF1 system is inadequate or seriously 'at risk'
>in this respect. Maybe I missed some convincing scenarios...
>
>
>
And the ever hated ME TO (aka seconded)

Terry

> The last thing we should be doing is raising FUD about the current version
>without _very strong_ reason.
>
>I'd far rather see progress on getting the existing system written up and
>published as an RFC.
>
>Chris Haynes
>
>
>p.s. Sorry - just taking the opportunity to vent my spleen at the end there.
>Nothing to do with you, Rudy.
>
>p.p.s BTW, it would be _much_ more convenient if you could post in plain text,
>not HTML. Thanks
>
>
>-------
>Sender Policy Framework: http://spf.pobox.com/
>Archives at http://archives.listbox.com/spf-discuss/current/
>Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2
>
>
>

--
Terry Fielder
terry [at] greatgulfhomes
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

spf2 at kitterman

Mar 31, 2005, 4:20 PM

Post #6 of 19 (1451 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

...... Original Message .......
On Thu, 31 Mar 2005 17:44:12 -0500 <rg [at] mdpd> wrote:
>I hope I'm not speaking out-of-turn and I do realize that a lot of effort
has been expended on this project thus far...
>
>But, since I am not so familiar with this problem and I believe I may be
able to provide a fresh perspective... Here is my question on the DNS topic:
>
>
>
>Why are so many DNS requests necessary at all?
>
>
>
>It seems to me that any system that needs IP verification via DNS should
do so for only the one IP that it needs to verify. Simplified: reverse the
verification role and have the DNS (server) zone verify the requested IP
and then reply with a pass or fail type token (or it can return the IP
itself or no IP if that IP fails.)
>
>This approach seems more efficient and certainly more secure (since no
information more than that which is already known is revealed.)
>
>If I am not seeing the big picture, someone please direct me to that
picture (or link.) Again, I am not well versed on this problem I hope that
has been made clear but I do wish to help it along (if at all possible.)
>
>
This can be done using the exists mechanism, but not easily with standard
DNS programs. This is not for everyone...

Scott Kitterman

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

dmquigg-spf at yahoo

Mar 31, 2005, 7:05 PM

Post #7 of 19 (1463 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

Sorry for getting into the forwarding issue here, but it is unavoidable in
the discussion of DNS lookups.

At 12:36 AM 4/1/2005 +0100, Chris Haynes wrote:

>In simple cases, that need only involve a single look-up. The multiple
>look-ups
>usually arise if you have a Mail From domain who uses a different domain's
>servers to send its mail. Almost all small/medium business and 'vanity'
>domains
>are in this situation.

But these small domains are almost all *not* wanting to operate their own
public mail servers, maintain their own DNS records, etc. They just want
to forward their mail through their ISP.

>They use an ISPs outbound mail servers. Now those ISPs
>are not going to commit to using a stable set of servers for this (defined by
>their numeric IP), so, for sensible change-control your small domain
>'includes'
>the ISP's record, which is then fetched at run-time by the receiver, so it is
>known to be the current list used by the ISP.

A more efficient arrangement is for the ISP to act as a normal forwarder,
and *authenticate* the small domain, then *authorize* its own mail
servers. This avoids the need to look up included records from another domain.

>There are several other situations like that which push up the number of
>lookups
>needed.

Why does *any* domain need to include another domain in its SPF
record? The other domain is acting as a forwarder. It should authenticate
the sending domain just like any forwarder would. If there is some
relationship between the sender and the forwarder, that might make the
authentication trivial, but to anyone downstream it should look like a
normal authentication.

>This also shows that a single server (with a single numeric IP address)
>might be
>used by hundreds or thousands of domains. Ihe ISP who owns the numeric address
>has no idea which domains are (perfectly legally) going to use that server for
>their outbound mail. I. for example, have 8 different domains that I can
>use. I
>send all my outbound mail via one ISP, who only knows about 1 of those 8. So
>the kind of lookup you suggest just does not work because of the need to cross
>these admistrative boundaries.

This seems like an inherently insecure situation. If an ISP does not
authenticate the domains for which it is forwarding mail, then it must
assume full responsibility for the content of that mail. By simply
authenticating the sender's domain, it can transfer the responsibility for
content to the authenticated sender. The ISPs sole responsibility is then
to do the authentication correctly.

><snip>
>What people are currently agonizing over, as I understand it, is whether 'bad
>guys' can force there to be a huge number of look-ups - so many that they
>overwhelm either a sender's or a receiver's DNS system.
>
>I, personally, am not yet convinced that there has been a strong enough case
>made to show that the current SPF1 system is inadequate or seriously 'at risk'
>in this respect. Maybe I missed some convincing scenarios...
>
> The last thing we should be doing is raising FUD about the current version
>without _very strong_ reason.

Until a week ago, I thought it was all FUD. Radu's research made me
re-consider. I now believe that there is at least a 1 in 10 chance that
the worry is real, probably much more. Given the simplicity of the
solution, I'm focused on that, rather than nailing down the certainty of
the risk. For me, the burden of proof is now on the "don't worry" side. I
would need to be convinced that the risk of attack is negligible, or that
the cost of the solution is more than a week or two to work out some new
syntax.

Most of the anti-SPF stuff I've read sounds like hysterical ranting, lots
of extreme statements with little substantive backup. The one site I've
seen that makes a convincing statement is Dave Crocker's
http://www.mipassoc.org/csv/CSV-Comparison.html I can't confirm these
statements from my own knowledge, but I give Crocker a lot more credibility
than most.

>I'd far rather see progress on getting the existing system written up and
>published as an RFC.

A lot of people outside the SPF community are taking the DNS threat very
seriously. If the solution takes another week or two, it could avoid a
much bigger setback down the road.

-- Dave
************************************************************ *
* David MacQuigg, PhD email: dmquigg-spf at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

spf2 at kitterman

Mar 31, 2005, 8:20 PM

Post #8 of 19 (1455 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

...... Original Message .......
On Thu, 31 Mar 2005 20:05:01 -0700 David MacQuigg <dmquigg-spf [at] yahoo>
wrote:
>Sorry for getting into the forwarding issue here, but it is unavoidable in
>the discussion of DNS lookups.
>
>At 12:36 AM 4/1/2005 +0100, Chris Haynes wrote:
>
>>In simple cases, that need only involve a single look-up. The multiple
>>look-ups
>>usually arise if you have a Mail From domain who uses a different domain's
>>servers to send its mail. Almost all small/medium business and 'vanity'
>>domains
>>are in this situation.
>
>But these small domains are almost all *not* wanting to operate their own
>public mail servers, maintain their own DNS records, etc. They just want
>to forward their mail through their ISP.
>
>>They use an ISPs outbound mail servers. Now those ISPs
>>are not going to commit to using a stable set of servers for this
(defined by
>>their numeric IP), so, for sensible change-control your small domain
>>'includes'
>>the ISP's record, which is then fetched at run-time by the receiver, so
it is
>>known to be the current list used by the ISP.
>
>A more efficient arrangement is for the ISP to act as a normal forwarder,
>and *authenticate* the small domain, then *authorize* its own mail
>servers. This avoids the need to look up included records from another
domain.
>
>>There are several other situations like that which push up the number of
>>lookups
>>needed.
>
>Why does *any* domain need to include another domain in its SPF
>record? The other domain is acting as a forwarder. It should
authenticate
>the sending domain just like any forwarder would. If there is some
>relationship between the sender and the forwarder, that might make the
>authentication trivial, but to anyone downstream it should look like a
>normal authentication.

I think you need to explain what definition of forwarding you are using.
MSA/MTA transmission of an e-mail after submission by an MUA is not what I
think most people mean by forwarding.

Scott Kitterman

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

winserver.support at winserver

Mar 31, 2005, 8:26 PM

Post #9 of 19 (1451 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

This is a reasonable question, Rudy.

One can make the assertion that once IP is validated by a domain (the first
time) it doesn't matter what other domain is used against the same IP.

For this assertion to be untrue, it would have to be the client has been
exploited (open relay for example). But you will never be able to find this
out unless a statistical based restriction is used (i.e, too many same
client fails).

In other words, once the IP is authorized by SPF, you have a reduced need
to perform additional SPF lookup when the same client connects. A time
expiration cached can be used to determine when a refresh check should be
done.

This might be translated to a SPF directive where the policy exposes a
refresh time. However, that would need to be secured with a server overide
refresh time because you don't want a client saying "This record is good for
X months!"

I like the refresh idea because I also think we need a SPF record expiration
concept to help Neutral/SoftFail people get off their butt to finish their
migration plans.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)

----- Original Message -----
From: <rg [at] mdpd>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss [at] v2>
Sent: Thursday, March 31, 2005 5:44 PM
Subject: [spf-discuss] Why are so many DNS requests necessary at all?

> I hope I'm not speaking out-of-turn and I do realize that a lot of effort
has been expended on this project thus far...

But, since I am not so familiar with this problem and I believe I may be
able to provide a fresh perspective... Here is my question on the DNS topic:

Why are so many DNS requests necessary at all?

It seems to me that any system that needs IP verification via DNS should do
so for only the one IP that it needs to verify. Simplified: reverse the
verification role and have the DNS (server) zone verify the requested IP and
then reply with a pass or fail type token (or it can return the IP itself or
no IP if that IP fails.)

This approach seems more efficient and certainly more secure (since no
information more than that which is already known is revealed.)

If I am not seeing the big picture, someone please direct me to that picture
(or link.) Again, I am not well versed on this problem I hope that has been
made clear but I do wish to help it along (if at all possible.)

Thanks,

-Rudy Gomez

-JUST SAY NO TO SPAM!

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup

----------------------------------------------------------------------------
----
Sender Policy Framework: http://spf.poboxcom/ Archives at
http://archives.listbox.com/spf-discuss/current/ Read the whitepaper!
http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your address, or
temporarily deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss [at] v2

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

william at elan

Mar 31, 2005, 9:48 PM

Post #10 of 19 (1449 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

On Thu, 31 Mar 2005, test only wrote:

> In other words, once the IP is authorized by SPF, you have a reduced need
> to perform additional SPF lookup when the same client connects. A time
> expiration cached can be used to determine when a refresh check should be
> done.
>
> This might be translated to a SPF directive where the policy exposes a
> refresh time. However, that would need to be secured with a server overide
> refresh time because you don't want a client saying "This record is good for
> X months!"

There is no need for this in SPF record (and it would be violation of
layers too since caching is for protocols). DNS has very strong caching
architecture with features that include refresh time, etc. Since SPF is
using dns, there is no need to add "refresh time" to the record, what you
need is to have SPF client use local caching dns servers and have SPF
record entered with different refresh then domain zone.

--
William Leibzon
Elan Networks
william [at] elan

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

spf-discuss at winserver

Mar 31, 2005, 10:15 PM

Post #11 of 19 (1445 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

william at elan

Mar 31, 2005, 11:09 PM

Post #12 of 19 (1456 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

On Fri, 1 Apr 2005, Hector Santos wrote:

> I was not suggesting of crossing the boundary. I was thinking IP (Not
> domain) caching would be in SPF server itself.

You're still crossing the boundary in a way. The correct relation should
have been DOMAIN:HOST:IP (domain authorizes hosts which have specified
ips) with that relation the caching of ip is done by dns and is not
dependent on changing of actual list of hosts and then the feature you
want to add would be easy to handle properly, but as you see below it
can be done right now as well.

> If the assertion can be made:
>
> SPF result1 = IP1 : DOMAIN1
>
> then
>
> SPF result1 = cache(IP1)
>
> for any incoming domain from the same IP for a limited "quantum/resfresh"
> time.

So what you want is to allow administrator to change spf record but that
those using it could cache particular part of it longer. This is
administration feature that greater majority would not need (how often
do spf records get changes for majority of domains?) and those that do can
use DMP architecture and again use already existing dns per-record caching
architecture.

In particular, the setup is to macro-forward dns request from main spf record
and set very long caching time for that, set short caching time for unknown
(unauthorized) ip and somewhere in between (depending on what ip that is
and if its expected to change) for actual mail server ip:

example.com. 604800 IN SPF "v=spf1 redirect=%{ir}.%{v}._spf.%{d2}"
*.in-addr.arpa._spf.example.com. 1800 IN SPF "v=spf1 -all"
1.0.168.192.in-addr.arpa._spf.example.com. 86400 IN SPF "v=spf1 ip4:192.168.0.1 -all"
(above could also be "v=spf1 +all")

Or simpler alternative (with non-existant record taking default as
set by dns server):

example.com. 604800 IN SPF "v=spf1 exists:%{ir}.%{v}._spf.%{d2} -all"
1.0.168.192.in-addr.arpa._spf.example.com. 86400 IN A 127.0.0.1

> The initial SPF(domain) lookup can be used to optional define the "SPF
> refresh time" for this IP.
>
> I think this will work for a system where there is high trust, and in the
> real world, the majority of sites use an email model closely resembling a
> social network, hence, while DNS provides domain caching, SPF can provide
> SPF result caching based on IP.
>
> I think it is so interesting, that I am thinking to pencil it in for R&D or
> not. :-)

Lucky for us you're not Microsoft who would already be patenting it ... :)
(and then imposing on us no matter if its good for every case or not).

So go ahead with R&D if you have time and resources for it, but I don't
think this feature is needed for SPF (as dns can already do it) and even
if it was there, I don't think it would be much used.

--
William Leibzon
Elan Networks
william [at] elan

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

chris at harvington

Mar 31, 2005, 11:22 PM

Post #13 of 19 (1461 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

Hector Santos "test only" suggested:

> This is a reasonable question, Rudy.
>
> One can make the assertion that once IP is validated by a domain (the first
> time) it doesn't matter what other domain is used against the same IP.
>
> For this assertion to be untrue, it would have to be the client has been
> exploited (open relay for example). But you will never be able to find this
> out unless a statistical based restriction is used (i.e, too many same
> client fails).
>
> In other words, once the IP is authorized by SPF, you have a reduced need
> to perform additional SPF lookup when the same client connects. A time
> expiration cached can be used to determine when a refresh check should be
> done.
>
> This might be translated to a SPF directive where the policy exposes a
> refresh time. However, that would need to be secured with a server overide
> refresh time because you don't want a client saying "This record is good for
> X months!"
>
> I like the refresh idea because I also think we need a SPF record expiration
> concept to help Neutral/SoftFail people get off their butt to finish their
> migration plans.
>

Sorry, Hector. Normally your posts burst into my mind with insight, but this
time it isn't working for me.

You seem to be suggesting that, once an IP has been approved as a sender by
domain A, you should then (for some limited period of time) also trust it for
any other domains (B, C etc) it claims to be sending for.

With no check done on the SPF records for B, C etc.?

You seem to suggest I could send a first outbound message from my MTA using the
valid domain 'badguy.com' (which has an SPF record giving a '+' result for my
sender), then send a series of messages claiming to be from bigbank.com,
bigisp.net etc. to the same recipient and I should be given an SPF '+' for these
messages.

Surely you do not mean that!

Chris Haynes

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

chris at harvington

Mar 31, 2005, 11:31 PM

Post #14 of 19 (1453 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

"Chris Haynes" added:

> Hector Santos "test only" suggested:
>
> > This is a reasonable question, Rudy.
> >
> > One can make the assertion that once IP is validated by a domain (the first
> > time) it doesn't matter what other domain is used against the same IP.
> >
> > For this assertion to be untrue, it would have to be the client has been
> > exploited (open relay for example). But you will never be able to find this
> > out unless a statistical based restriction is used (i.e, too many same
> > client fails).
> >
> > In other words, once the IP is authorized by SPF, you have a reduced need
> > to perform additional SPF lookup when the same client connects. A time
> > expiration cached can be used to determine when a refresh check should be
> > done.
> >
> > This might be translated to a SPF directive where the policy exposes a
> > refresh time. However, that would need to be secured with a server overide
> > refresh time because you don't want a client saying "This record is good for
> > X months!"
> >
> > I like the refresh idea because I also think we need a SPF record expiration
> > concept to help Neutral/SoftFail people get off their butt to finish their
> > migration plans.
> >
>
>
> Sorry, Hector. Normally your posts burst into my mind with insight, but this
> time it isn't working for me.
>
> You seem to be suggesting that, once an IP has been approved as a sender by
> domain A, you should then (for some limited period of time) also trust it for
> any other domains (B, C etc) it claims to be sending for.
>
> With no check done on the SPF records for B, C etc.?
>
> You seem to suggest I could send a first outbound message from my MTA using
the
> valid domain 'badguy.com' (which has an SPF record giving a '+' result for my
> sender), then send a series of messages claiming to be from bigbank.com,
> bigisp.net etc. to the same recipient and I should be given an SPF '+' for
these
> messages.
>
> Surely you do not mean that!
>
> Chris Haynes
>
>

Ah, I think I see it now. It's all to do with the timing.

Chris Haynes

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

graham at gmurray

Apr 1, 2005, 2:36 AM

Post #15 of 19 (1449 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

"Chris Haynes" <chris [at] harvington> writes:

> In simple cases, that need only involve a single look-up. The multiple look-ups
> usually arise if you have a Mail From domain who uses a different domain's
> servers to send its mail. Almost all small/medium business and 'vanity' domains
> are in this situation. They use an ISPs outbound mail servers.

This has often been stated, and I have wondered why. I am the owner of
such a "vanity" domain and I work for a small (10 employee)
business. Yet both my personal domain and the business domain run
their own mail servers (which are connected via DSL), both for sending
and receiving mail. Doing this is so much more convenient than using
the ISP's servers. For example with incoming mail it is possible to
apply whatever checks (SPF, Antivirus, DomainKeys, RBL etc) the domain
owner wishes to apply so that mail which fails these checks can be
rejected at SMTP time rather then being accepted and a bounce
generated later (which most people agree is not a very good
idea). With outgoing mail, the administrator can easily see if mail
has been delayed and queued, and also can check that (and when) the
receiving MX accepted the mail. When sending using the ISP's servers
it is common to not get a notification of problems sending until the
ISP sends a "Unable to deliver for the last xxxxx" message to sender
after having tried for some time to deliver the message.

So it seems to me that, for systems which have 'always on' connections
to the internet, the benefits of a domain running its own mail server
far outweigh the convenience of letting the ISP do all the work.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

chris at harvington

Apr 1, 2005, 2:50 AM

Post #16 of 19 (1437 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

"Graham Murray" opined:

> "Chris Haynes" <chris [at] harvington> writes:
>
> > In simple cases, that need only involve a single look-up. The multiple
look-ups
> > usually arise if you have a Mail From domain who uses a different domain's
> > servers to send its mail. Almost all small/medium business and 'vanity'
domains
> > are in this situation. They use an ISPs outbound mail servers.
>
> This has often been stated, and I have wondered why.

<snip>
>
> So it seems to me that, for systems which have 'always on' connections
> to the internet, the benefits of a domain running its own mail server
> far outweigh the convenience of letting the ISP do all the work.
>

Obviously, it's a business decision. I can think of three factors:

1) Skills and business priorities. Not all small businesses have the skills /
inclination / time to run their own mail services.

2) Not all 'always on' connections have a long-term guarantee about the IP
address they are allocated.

3) Reliability. Few SMEs want the expense and hassle of duplicate connections,
servers, etc. to be sure to be offering an inbound service with a high enough
availability.

Chris Haynes

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

spf-discuss at winserver

Apr 1, 2005, 3:01 AM

Post #17 of 19 (1472 views)
Permalink

Re: Why are so many DNS requests necessary at all? [In reply to]

----- Original Message -----
From: "william(at)elan.net" <william [at] elan>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss [at] v2>
Sent: Friday, April 01, 2005 2:09 AM
Subject: Re: [spf-discuss] Why are so many DNS requests necessary at all?

> Lucky for us you're not Microsoft who would already be patenting it ... :)
> (and then imposing on us no matter if its good for every case or not).

It is already prior art SMTP systems with POP B4 SMTP works under the same
premise - IP Cached with a timeout window for the purpose of authorizing a
transaction. :-)

Why do you think I immediately saw possibilities here? It will fit right
into our POP B4 SMTP logic.

> So go ahead with R&D if you have time and resources for it, but I don't
> think this feature is needed for SPF (as dns can already do it) and even
> if it was there, I don't think it would be much used.

You are probably right. I don't see a need for a SPF refresh directive. The
server can handle it.

Please follow me here as to why I think it is good idea. You heard me speak
much of this before.

No doubt, the #1 overhead (and redundancy) is the open-ended lookups for
LMAP domains. By far, the majority either are SPF-NONE or NXDOMAIN. If
anyone has not seen this yet, then they really don't have SPF running in a
production environment, single or widely spread.

Our transaction times were over 1 minute. Keep in mind we have a multiple
test suite system (SPF is just one, so its not the total reason for the
lengthy time). So it was immediately apparent this needed to get reduced
before putting the product into the customers hands..

Since RCPT was rejected 65% of the time, it was logical to delay the
validation until it was known whether we have an anonymous final destination
transaction. For remotes, we already have standard SMTP methods to handle
relay authorizations (SMTP AUTH, Allow IP relay tables, and POP B4 SMTP).

This delay validation reduced the DNS overhead requirement by 65% and
brought down the average transaction time to ~20 seconds. A drastic
improvement. I can't see how anyone can suggest this is an option in a
production environment. It is a requirement as far as I am concern.

So the issue is mainly applying new logic to anonymous local mail
transactions. This is the basis for the SMTP exploitation by spammers and
spoofers, thus were all efforts are mostly concentrated.

So what do we have? or turned around, what don't we have?

We didn't have a way to anchor either an IP or DOMAIN in order to provide
some level of authorization for the anonymous local main sender.

SPF was invented to allowed us to provide this anchor based on the DOMAIN in
order to authorize a machine or network of machines

In POP B4 SMTP, the anchor is POP3 which inherently requires an user login
authentication. This authorized session is now used to authorize any
pending relay SMTP process predicted to occur after the POP3 pickup mail
process (most MUAs do a POP before a SMTP). This is done by having the POP3
server signaling the SMTP server with the POP3 IP connection address. The
SMTP server caches this IP address with a X second or minute timeout window
of opportunity allowing the sender to relay mail, if any does occur. POP
B4 SMTP is used by many ISP because it helped minimize ISP customer support
headaches with users not having a MUA that supports SMTP AUTH or not
prepared to use it.

So borrowing from the same idea already existing in practice, SPF can serve
as the anchor to provide a SPF authorized IP in a cached window.

The question I have to explore is whether the total savings in time is worth
the effort. For a site that has high transactions from common sources, it
make sense. If you have 1000 users sending an average of 10 messages and SPF
lookups take an average of 0.5 seconds, you would save ~5000 seconds or ~1.4
hour or transaction time. For a even larger system, the benefits area
greater.

But then again, it might also sense to white list these people. So the
secondary benefit of the automated SPF IP cache idea is that it will save
administrative maintenance time in white listing people.

Anyway, it has potential :-)

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

rg at mdpd

Apr 1, 2005, 7:07 AM

Post #18 of 19 (1444 views)
Permalink

RE: Why are so many DNS requests necessary at all? [In reply to]

Chris Haynes wrote:

-snip-

>Reasonable question.

>The simplest answer - 'cause DNS does not hold the data we need.

REPLY= That is what needs to be created - a new DNS record for that data.

>The question being asked in SPF is 'is this IP address authorised to

>send mail on behalf of this domain?'. DNS, with MX, gives you a list of

>the hosts authorised to _receive_ mail, but not to _send_ mail. Hence

>the need to (ab)use a DNS TXT field to list the authorised senders.

REPLY= I agree on the need, I disagree with the TXT field. This reveals too much information. The authentication should be based solely on one IP and thus can not be done from the outside in.

DNS ZONE

========

;

; Database file TEST.com.dns for TEST.com zone.

; Zone version: 1

;

@ IN SOA dns.server. hostmaster.test.com (

1 ; serial number

1000 ; refresh

1000 ; retry

86400 ; expire

3600 ) ; minimum TTL

;

; Zone NS records

;

@ NS ns1.TEST.net.

@ NS ns2.TEST.net.

;

; Zone records

;

@ A 1.2.3.4

@ MX 1 mx.TEST.com.

* A 1.2.3.4

=======additional========

1.2.3.4 MXO 1.2.3.4

2.3.4.5 MXO 2.3.4.5

====or====

MXO CNAME mxo.ISP.com

====or====

@ MXO mxo.ISP1.com

MXO mxo.ISP2.com

MXO 1.2.3.4

MXO 2.3.4.5

-snip-

>This also shows that a single server (with a single numeric IP address)

>might be used by hundreds or thousands of domains. Ihe ISP who owns the

>numeric address has no idea which domains are (perfectly legally) going

>to use that server for their outbound mail. I, for example, have 8

>different domains that I can use. I send all my outbound mail via one

>ISP, who only knows about 1 of those 8. So the kind of lookup you

>suggest just does not work because of the need to cross these

>administrative boundaries.

REPLY= Incorrect assumption, you can simply enter a CNAME in all your domains to list your ISP entry (for their sending servers.)

>Returning to the normal, SPF lookups... under normal circumstances,

>these

look-ups are cached in the DNS system so, for example, if you receive hundreds of mails from small businesses all using the same ISP, you would only need one DNS lookup per message most of the time - the one in which the small business would 'include' the record of the ISP. You would, most of the time, already have that ISP's record in your local cache - so the situation is not as bad as you might think.

REPLY= This is true for any DNS entry, not relevant for this argument.

>What people are currently agonizing over, as I understand it, is

>whether 'bad guys' can force there to be a huge number of look-ups - so

>many that they overwhelm either a sender's or a receiver's DNS system.

REPLY= This seems like a reasonable worry, but they (those bad guys) can already exploit DNS weaknesses without SPF. Since DNS allows for caching, this doesn't seem like such a threat (that is that is is creating a new type of threat.)

-snip-

>Chris Haynes

-snip-

Sorry about th HTML, I can't seem to send from my regular email account - forced to use mail.com account.

-Rudy Gomez
--

___________________________________________________________
Sign-up for Ads Free at Mail.com
http://mail01.mail.com/scripts/payment/adtracking.cgi?bannercode=adsfreejump01"]http://www.mail.com/?sr=signup

dejanspf at ztbclan

Apr 3, 2005, 11:02 PM

Post #19 of 19 (1442 views)
Permalink

RE: Why are so many DNS requests necessary at all? [In reply to]

>But these small domains are almost all *not* wanting to operate their own
public mail servers, maintain their own DNS records, etc. They >just want
to forward their mail through their ISP.

These doimains with bad policy have load on they own dns servers, there is
not problem if anyone mad bad policy which have hard load to they server.
Problem should be only ptr or malicious include which redirect to
<some.another.unknown.domain.com>.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads