Re: Conclusions of Last Call for draft-ietf-spfbis-4408bis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 10 sep 2013, at 13:39, "Murray S. Kucherawy" <superuser@xxxxxxxxx> wrote:

On Tue, Sep 10, 2013 at 4:04 AM, Patrik Fältström <paf@xxxxxxxxxx> wrote:
What we did look at was first of all every query for an MX resource record. Then we look at +/-1 second from the timestamp of that MX query for TXT and/or SPF record for the same owner. We draw the conclusion that if there is a query for an MX record, and then either TXT or SPF (or both) within the approximately same timespan, then they are related queries.

I'm not sure that's a valid conclusion.  Since MX is needed only for a sending system, a receiving system doing an SPF check of either type has no reason to query for MX.  The exception to this might be a heuristic check to see if the domain in the MAIL FROM has MX or A published such that a reply appears to be possible, but I wouldn't expect a strong correlation in your data.

True.

View my explanation just like it was, how we did our calculations. Conclusions can anyone draw from the data.

The problem is that if one look at just queries to a root server like this, there is lots of what I would call "junk". When looking at TLDs, we saw about 162 million different TLDs each 24h in the QNAME. We saw this time also for example queries for SPF and other RR Types where the QNAME was an IPv4 address (for example "10.2.3.4.").

So, we found _some_ algorithm was needed instead of "just" counting queries, and we did count the way I just explained.

   Patrik

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]