Re: [dnsext] SPF isn't going to change, was Deprecating SPF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Phillip Hallam-Baker wrote:

On Fri, Aug 23, 2013 at 3:46 PM, manning bill <bmanning@xxxxxxx> wrote:


        the question is not that "nobody" checks type 99, the question is
"is the rate of adoption
        of type 99 -changing- in relation to type 16?



As John pointed out, support for checking type 99 has decreased and
continues to decrease rather than increase. So waiting longer is not going
to solve the issue.
However, the interest never disappeared. The issue is what are we waiting for now? The DNS infrastructure support? Why it that such a problem? Who goes to these IETF meetings? Where are the Microsoft DNS product managers in these discussions? What do they have to say? 



Putting a statement in an RFC does not mean that the world will
automatically advance towards that particular end state.
Thats correct. No one is forced to support RFC 4408bis. From my perspective, there are four basic major changes to BIS - all optional: 

  1 - Add Authentication-Result: 5322.header.
  2 - Relax SPF HardFail Policy rejections to Accept-Mark operations.
  3 - If 2 is perform, then add code to separate user failed messages.
  4 - Remove any support for SPF type99 queries and publishing.
For our SPF implementation, we never did #4 for lack of infrastructure readiness but are ready to support once the the backbone is ready for it. We will probably will do #1 for all non-HARDFAIL result but we won't do #2 because it will cause a high redesign cost with #3. Not performing #3 would be a major security loophole is you begin to support #2. Until we are ready to do #3 and close that security loophole, #2 won't happen. 


Forcing a WG to adopt a position to suit another constituency is not going
to lead them to advocate for that position in deployment constituencies.
Particularly when the original constituency does nothing to advance
deployment.
+1, but the decision makers really haven't ask the main DNS constituencies why they have not advanced their (DNS) software or made it flexible enough for another operators and administrators to add/manage new RR types or capable of passive and transparent handling of unknown type recursive passthru queries.
To me, this should be a project leadership responsibility to make sure the protocol requirements are realistic are not. 

--
HLS
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]