Mailing List Archive: SPF: Discuss

Processing limits (was: DNSOP Agenda for San Diego (IETF 67))

Index | Next | Previous | View Threaded

julian at mehnle

Oct 31, 2006, 8:39 AM

Post #1 of 4 (2133 views)
Permalink

Processing limits (was: DNSOP Agenda for San Diego (IETF 67))

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> On Tue, 31 Oct 2006, Alex van den Bogaerdt wrote:
> > Let's face it. Waiting for the type99 record was good, but also
> > allowing txt records (and worse: promoting to use TXT records) may have
> > been a mistake.
>
> I publish and check type99 records - and encourage others to do the same.

Same here.

> RFC lawyer question: 4408 says I SHOULD limit the size of DNS queries.
> Fine - I do that. But what should the result be when the size is
> exceeded? None? TempError?

You mean "limit the total amount of data obtained from the DNS queries",
not "limit the size of DNS queries", right?

The RFC itself is mute about how to react, so you can do whatever you want
and still be compliant. Speaking not as an RFC lawyer but as an
architect, I'd say TempError.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFR3w8wL7PKlBZWjsRArq7AJ9EaRjycpiQtzsjH7c/ZoIB4S0RGgCfcWJV
CzmM4sgU/xjQWQvyJKGpJdA=
=PqvY
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss[at]v2.listbox.com

alex at ergens

Oct 31, 2006, 12:57 PM

Post #2 of 4 (1981 views)
Permalink

Re: Processing limits (was: DNSOP Agenda for San Diego (IETF 67)) [In reply to]

On Tue, Oct 31, 2006 at 04:39:23PM +0000, Julian Mehnle wrote:

> The RFC itself is mute about how to react, so you can do whatever you want
> and still be compliant.

Which is exactly why I was fighting in similar cases to get a clear,
explicit, limit. Unfortunately this one passed without me noticing.

IIRC a similar discussion occured when talking about processing limits.
These kind of limits cannot be fuzzy, Julian just pointed out why not.

Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss[at]v2.listbox.com

julian at mehnle

Nov 1, 2006, 3:32 AM

Post #3 of 4 (1949 views)
Permalink

Processing limits (was: DNSOP Agenda for San Diego (IETF 67)) [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> To damp Doug's attack without counting bytes (shudder) maybe a total
> limit of about 40 queries (10 mechanisms + 30 names) would do [...]

As much as I'd like to do that, we can't really do it with "v=spf1"
anymore. The best we can do without losing backwards compatibility is
issue a security amendment RFC that defines a "security-level=n" modifier.

A record that wishes to comply with security level 1 (0 being vanilla RFC
4408) must feature a "security-level=1" modifier and comply with tightened
processing limits. Receivers can then decide whether they still want to
process SPF records of a lower security level or ignore them instead.

This might also be a useful feature for SPFv3.

Otherwise, recommending that receivers throw a PermError when hitting
limits that are lower than what RFC 4408 explicitly specifies is highly
problematic.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFSIXGwL7PKlBZWjsRAudSAJ9r1x4JublgnZ28GfzqvVnzyoeRuACeO0qR
TbdB72nttO+s2kDMSzVgK9U=
=xrA/
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss[at]v2.listbox.com

nobody at xyzzy

Nov 1, 2006, 7:20 AM

Post #4 of 4 (1968 views)
Permalink

Re: Processing limits [In reply to]

Julian Mehnle wrote:

> This might also be a useful feature for SPFv3.

Sure, anything with a new tag can specify whatever it likes.

> Otherwise, recommending that receivers throw a PermError when hitting
> limits that are lower than what RFC 4408 explicitly specifies is highly
> problematic.

Indeed, it is. But if we can determine new limits not used in the wild
(outside of attack scenarios) we're free to add them below the already
existing SHOULD in a 4408bis (or maybe in the 4408 errata).

Maybe as TempError, Wayne's idea was NONE for this SHOULD, your and my
idea was TempError, but ideally it's of course a PermError. If it does
not break "too many" published policies. Where something below 10ppm
might be acceptable if it's really important against attacks.

After all the status is "experimental", it won't be upgraded to "PS"
with precisely the same text as is, e.g. we'll fix the errata, maybe
we publish some interop reports based on the test suite in a separate
document, maybe some "lessons learned" in a third document, the works.

And we can propose a 4408bis whenever we feel like it (e.g. after some
months without changes in the errata), we're not forced to wait until
2008 - that's not our timer, it's a timer of a former IESG.

BTW, there are even folks who are not shy to add dubious dots to a spec.
for in essence aesthetical reasons, while the author of RFC 2821 and
the author of RFC 2045 agree to remove that dot from an 2821bis draft,
because it's not backwards compatible wrt SMTP. In presence of an SPF
Council member (hi William) on the SMTP list.

The processing limits aren't "nice to have", they're really important.

I don't propose to break numerous published policies, that's why I was
against the SenderID "compatibility" clause, or the hopefully harmless
trailing dot (as long as nobody uses it it's definitely harmless, and
those who try it are free to change their mind if they get PermErrors).

But fixing bugs and security considerations if necessary is on another
level, IMO that's why they (IETF) have this "standards process" with
several steps.

Frank

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss[at]v2.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com