[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with Sender Authentication

To: Scott Kitterman <scott@xxxxxxxxxxxxx>
Subject: Re: Trouble with Sender Authentication
From: Douglas Otis <dotis@xxxxxxxxxxxxxx>
Date: Thu, 9 Nov 2006 10:58:54 -0800
Cc: IETF MARID WG <ietf-mxcomp@xxxxxxx>
In-reply-to: <200611082330.47971.scott@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <20061108181038.A6A165CC01E@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <24200D2D-5669-47F0-9BCD-6F0CE88877EC@xxxxxxxxxxxxxx> <200611082330.47971.scott@xxxxxxxxxxxxx>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx



On Nov 8, 2006, at 8:30 PM, Scott Kitterman wrote:


On Wednesday 08 November 2006 14:36, Douglas Otis wrote:

On Nov 8, 2006, at 10:10 AM, Scott Kitterman wrote:

On Wed, 8 Nov 2006 09:15:29 -0800 Douglas Otis <dotis@mail-

abuse.org> wrote:

When you say the word script, do you mean SPF records (Please,
this is meant to be a yes/no question, there's no need to write a
dissertation that repeats the arguements made earlier in the
thread.  I read those already.)?


The concern is with libraries that execute scripts labeled as SPF
1 or 2 contained within DNS resource records.  A potential attack
utilizing just the access of these resources records has not been
described.


Is that a Yes?


This has been succinctly answered.  Record is _not_ synonymous with
script.

OK, then I guess that's no.

Record != Script. I see from the above that in your view librariesexecutescripts, so SPF checking library != Script. I'm not sure what isleft.

Rather that rehash your 'succinct' answer, please point me to thepage andline number(s) of your draft that either is a script or describeswhat it is

and I'll look it up there.

Page 11 would be a place to start. Results vary depending upon thelibrary used to execute this script and the starting parameters. Ascript may invoke other records. In this case, this script invokes10 MX mechanisms defined by a macro with follow-on transactions foraddress records that are perhaps limited by the script processinglibrary. Other scripts, such as in the case of paypal.com invokes 10other SPF TXT resource records. The SPF script defines subsequentrecord transactions. In this case, the %{l} macro is used to selectan array of MX RR sets. The script defines the record set, but inconverse a record does not define the set comprising the script.Processing the script includes initial parameters not found in anySPF record as well.

It seems best not to confuse the term script with that of record.They are truly different elements.


cert-test.mail-abuse.org.  IN  TXT  "v=spf1
    mx:0.%{l}.%{d} mx:1.%{l}.%{d} mx:2.%{l}.%{d}
    mx:3.%{l}.%{d} mx:4.%{l}.%{d} mx:5.%{l}.%{d}
    mx:6.%{l}.%{d} mx:7.%{l}.%{d} mx:8.%{l}.%{d}
    mx:9.%{l}.%{d} ?all"

-Doug

Follow-Ups:
- Re: Trouble with Sender Authentication
  - From: william(at)elan.net

References:
- Re: Trouble with Sender Authentication
  - From: Scott Kitterman
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: Scott Kitterman

Prev by Date: Re: Trouble with Sender Authentication
Next by Date: Re: Trouble with Sender Authentication
Previous by thread: Re: Trouble with Sender Authentication
Next by thread: Re: Trouble with Sender Authentication
Index(es):
- Date
- Thread