Subject: Re: [spfbis] Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard Date: Mon, Aug 19, 2013 at 03:59:50PM -0400 Quoting John R Levine (johnl@xxxxxxxxx
> >>>* The charter disallows major protocol changes -- removing the SPF RR type
> >>>is a direct charter violation; since SPF is being used on the Internet. ...
>
> The SPF working group discussed this issue at painful, extensive length.
>
> As you saw when you read the WG archives, there is a significant
> interop bug in rfc 4408 in the handling of SPF and TXT records,
> which (again after painful and extension discussion) we decided the
> least bad fix was to get rid of SPF records. I don't see anything
> in your note about how else you think we should address the interop
> bug.
It is in the archives, but for your convenience, and in haste:
SPF MUST be published. TXT MAY be published to help in migration. If both,
they MUST align. [0]
The lookup order should be : Ask for SPF, if not found, ask for TXT,
if not found, return ANY. Long-term, one may disregard the TXT fallback.
If TXT and SPF differ (and TXT happens to look like SPF syntax), assume
that migration is in place, discard TXT and use SPF.
And before the whining on query rate starts: The amount of queries is
presently uninteresting from a DNS operations perspective. Does matter
much less than the squatting on TXT. Besides, we've got caching in DNS,
which scales very well.
Caching in itself does introduce some pits to fall in, especially
regarding TTL in migration states. If deemed suitable, some
recommendations on TTL can be discussed. These should however be limited
to the unique situation that is trying to publish the same record
twice. My naïve hunch is to either recommend publishing both with the
same TTL or possibly TXT with a significantly shorter. The latter is
probably only interesting in short-term migration states.
This discussion is however best had on the spfbis mailing list, after
the -19 draft is sent back.
> In your case it doesn't matter, since your TXT and SPF records make
> no usable assertions, but a lot of people use SPF right now as part
> of their mail stream management.
Off-topic: They do make usable assertions. It is just that my email policy
seems to differ from what you think prudent. I believe I'm free to have
a differing policy.[1]
Praeterea censeo, Carthaginem esse delendam.
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Don't hit me!! I'm in the Twilight Zone!!!
[0] Please note that my besserwisser.org records are SPF only.
The fact that there is argumentation with a funny prefix in
some TXT records is simply "some use" of TXT records.
[1] Mail from me should be authenticated by my PGP signature, not by
which IP address that happened to deliver it to your MX node.
Attachment:
signature.asc
Description: Digital signature