You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by btb <li...@bitrate.net> on 2015/10/21 19:48:35 UTC
spf records and cnames
are spf records allowed to be a cname? e.g.:
http://dpaste.com/0MR0R3C.txt
is this explicitly addressed in an rfc?
thanks
-ben
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 22.10.2015 um 00:19 schrieb Reindl Harald:
>
> Am 22.10.2015 um 00:08 schrieb Bill Cole:
>> On 21 Oct 2015, at 13:48, btb wrote:
>>
>>> are spf records allowed to be a cname?
>>
>> I can't see any reason why they shouldn't be...
>>
>>> e.g.:
>>>
>>> http://dpaste.com/0MR0R3C.txt
>>>
>>> is this explicitly addressed in an rfc?
>>
>> I don't believe so and there's no reason to. CNAME records trump all DNS
>> record types for a name so it may be usually unwise to have a CNAME
>> record for a name that is used in email address domain parts, but it
>> isn't inherently wrong.
>>
>> A name which is resolved by a CNAME record to a canonical name is
>> forbidden as the result in MX and NS records to prevent resolution
>> loops. That rationally SHOULD be banned for CNAME records as well, but
>> we're decades past the time to argue that.
>
> no it should NOT
and in case "SHOULD be banned for CNAME records as well" was meant as a
CNAME pointing to another CNAME should be banned: the same answer: NO
in large setups with dozens of subdomains finally hosted by different
providers it makes a lot of sense group them and point to a common
internal and descriptive CNAME which finally points to a CNAME of the
destination provider in case he also groups things that way
just because three reasons:
* you see the final hostname in the DIG output instead a IP
* if the provider changes the IP for the host you nothing to touch
* that's what cannoncial means
> otherwise you would not be able to set a SPF-record for your CNAMES and
> "reject_unknown_sender_domain" won't hit for a forged subdomain because
> it exists - so SPF *must* work for CNAMES or the whole intention for
> HELO SPF would not work - a wise DNS/SPF setup has "v=spf1 -all" for any
> A-record not used for email and so any CNAME pointing to that A-record
> has the same SPF result with no holes to abuse
>
> the reaosn why you can't have MX and CNAME at the same time has in fact
> nothing to do with resolution loops - it's because
> the answer would be a split-brain by asking without a specific record type
Re: spf records and cnames
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Thu, 22 Oct 2015 00:59:04 +0200
Reindl Harald <h....@thelounge.net> wrote:
> so *read* what i refer to and read it really
> YOU SET THE SPF AS ANY OTHER RECORD TYPE FOR A CNAME IMPLICITLY BY DO
> THAT FOR THE A-RECORD THE CNAME IS POINTING TO
You don't need to yell.
A CNAME does not point to an A record.
Regards,
Dianne.
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 22.10.2015 um 00:26 schrieb Dianne Skoll:
> On Thu, 22 Oct 2015 00:19:05 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>> no it should NOT
>
>> otherwise you would not be able to set a SPF-record for your CNAMES
>
> You can't do that anyway. If a domain has a CNAME record, it MUST NOT
> have any other records of any other type whatsoever. So there's no way
> to set an SPF record for a CNAME domain only
what about not stripping away that i explained exactly that?
frankly i showed it even in two posts with DIG results
so *read* what i refer to and read it really
YOU SET THE SPF AS ANY OTHER RECORD TYPE FOR A CNAME IMPLICITLY BY DO
THAT FOR THE A-RECORD THE CNAME IS POINTING TO AND THE REASON THAT
CNAME/MX IS FORBIDDEN IS SIMPLE: YOU DON'T NEED THE MX WHEN IT POINTS TO
THE SAME HOST AND YOU CAN'T HAVE BOTH WITH DIFFERENT ANSWERS
Re: spf records and cnames
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Thu, 22 Oct 2015 00:19:05 +0200
Reindl Harald <h....@thelounge.net> wrote:
> no it should NOT
> otherwise you would not be able to set a SPF-record for your CNAMES
You can't do that anyway. If a domain has a CNAME record, it MUST NOT
have any other records of any other type whatsoever. So there's no way
to set an SPF record for a CNAME domain only.
IMO: It's OK for an SPF domain to be a CNAME, but again IMO each CNAME
lookup should count against the SPF DNS lookup limit. Not sure how
practical it is to do that.
RFC 1912:
2.4 CNAME records
A CNAME record is not allowed to coexist with any other data. In
other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
can't also have an MX record for suzy.podunk.edu, or an A record, or
even a TXT record.
Regards,
Dianne.
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 27.10.2015 um 20:15 schrieb Matus UHLAR - fantomas:
> it does not explain why should it cause problems for HELO SPF. as I have
> already noted, using CNAME for HELO violates SMTP RFC, so there's
> technically no reason to follow CNAME expecially in these cases
that is nonsense
the goal of HELO SPF and SPF records for every hostname is to make
forging impossible - the SMTP RFC don't matter in that context - the
only question is would a SPF policyd reject a message
[harry@srv-rhsoft:~]$ nslookup www.rhsoft.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.rhsoft.net canonical name = proxy.thelounge.net.
Name: proxy.thelounge.net
Address: 91.118.73.4
http://www.openspf.org/Why?s=mfrom;id=test@www.rhsoft.net;ip=89.207.169.8
[harry@srv-rhsoft:~]$ dig TXT www.rhsoft.net @8.8.8.8
; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> TXT www.rhsoft.net
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42894
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.rhsoft.net. IN TXT
;; ANSWER SECTION:
www.rhsoft.net. 19174 IN CNAME proxy.thelounge.net.
proxy.thelounge.net. 21599 IN TXT "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
Re: spf records and cnames
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On 22.10.15 00:19, Reindl Harald wrote:
>>>otherwise you would not be able to set a SPF-record for your CNAMES
>>>and "reject_unknown_sender_domain" won't hit for a forged subdomain
>>>because it exists - so SPF *must* work for CNAMES or the whole
>>>intention for HELO SPF would not work
>Am 22.10.2015 um 13:55 schrieb Matus UHLAR - fantomas:
>>I don't get this. HELO must be canonical name, so it must not be CNAME.
>>Thus, there's no need to follow CNAMEs in SPF when checking for HELO.
>>when you check HELO, the CNAME should be treated as error
On 22.10.15 13:58, Reindl Harald wrote:
>see first repsonse to that thread
it does not explain why should it cause problems for HELO SPF. as I have
already noted, using CNAME for HELO violates SMTP RFC, so there's technically no
reason to follow CNAME expecially in these cases - it's alredy broken and
failing the check would be (imho) proper reaction.
>what do i mean with "is always followed"?
[...]
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 22.10.2015 um 13:55 schrieb Matus UHLAR - fantomas:
>> Am 22.10.2015 um 00:08 schrieb Bill Cole:
>>> I don't believe so and there's no reason to. CNAME records trump all DNS
>>> record types for a name so it may be usually unwise to have a CNAME
>>> record for a name that is used in email address domain parts, but it
>>> isn't inherently wrong.
>>>
>>> A name which is resolved by a CNAME record to a canonical name is
>>> forbidden as the result in MX and NS records to prevent resolution
>>> loops. That rationally SHOULD be banned for CNAME records as well, but
>>> we're decades past the time to argue that.
>
> On 22.10.15 00:19, Reindl Harald wrote:
>> no it should NOT
>>
>> otherwise you would not be able to set a SPF-record for your CNAMES
>> and "reject_unknown_sender_domain" won't hit for a forged subdomain
>> because it exists - so SPF *must* work for CNAMES or the whole
>> intention for HELO SPF would not work
>
> I don't get this. HELO must be canonical name, so it must not be CNAME.
> Thus, there's no need to follow CNAMEs in SPF when checking for HELO.
> when you check HELO, the CNAME should be treated as error
see first repsonse to that thread
____________________________
what do i mean with "is always followed"?
well, it don't matter for which ressource type you ask, first the CNAME
is resolved and the second DNS request than asks that name for the
record type (in case the CNAME points to a differnet domain not hosted
on the same nameserver it's the clients job to do so because the origin
server won't allow recursion if it is proper configured)
[harry@srv-rhsoft:~]$ dig SPF access.thelounge.net @8.8.8.8
;; ANSWER SECTION:
access.thelounge.net. 21599 IN CNAME arrakis.thelounge.net.
arrakis.thelounge.net. 21599 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
[harry@srv-rhsoft:~]$ dig SPF www.rhsoft.net @8.8.8.8
;; ANSWER SECTION:
www.rhsoft.net. 21599 IN CNAME proxy.thelounge.net.
proxy.thelounge.net. 21599 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
Re: spf records and cnames
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Am 22.10.2015 um 00:08 schrieb Bill Cole:
>>I don't believe so and there's no reason to. CNAME records trump all DNS
>>record types for a name so it may be usually unwise to have a CNAME
>>record for a name that is used in email address domain parts, but it
>>isn't inherently wrong.
>>
>>A name which is resolved by a CNAME record to a canonical name is
>>forbidden as the result in MX and NS records to prevent resolution
>>loops. That rationally SHOULD be banned for CNAME records as well, but
>>we're decades past the time to argue that.
On 22.10.15 00:19, Reindl Harald wrote:
>no it should NOT
>
>otherwise you would not be able to set a SPF-record for your CNAMES
>and "reject_unknown_sender_domain" won't hit for a forged subdomain
>because it exists - so SPF *must* work for CNAMES or the whole
>intention for HELO SPF would not work
I don't get this. HELO must be canonical name, so it must not be CNAME.
Thus, there's no need to follow CNAMEs in SPF when checking for HELO.
when you check HELO, the CNAME should be treated as error.
> - a wise DNS/SPF setup has
>"v=spf1 -all" for any A-record not used for email and so any CNAME
>pointing to that A-record has the same SPF result with no holes to
>abuse
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 22.10.2015 um 00:08 schrieb Bill Cole:
> On 21 Oct 2015, at 13:48, btb wrote:
>
>> are spf records allowed to be a cname?
>
> I can't see any reason why they shouldn't be...
>
>> e.g.:
>>
>> http://dpaste.com/0MR0R3C.txt
>>
>> is this explicitly addressed in an rfc?
>
> I don't believe so and there's no reason to. CNAME records trump all DNS
> record types for a name so it may be usually unwise to have a CNAME
> record for a name that is used in email address domain parts, but it
> isn't inherently wrong.
>
> A name which is resolved by a CNAME record to a canonical name is
> forbidden as the result in MX and NS records to prevent resolution
> loops. That rationally SHOULD be banned for CNAME records as well, but
> we're decades past the time to argue that.
no it should NOT
otherwise you would not be able to set a SPF-record for your CNAMES and
"reject_unknown_sender_domain" won't hit for a forged subdomain because
it exists - so SPF *must* work for CNAMES or the whole intention for
HELO SPF would not work - a wise DNS/SPF setup has "v=spf1 -all" for any
A-record not used for email and so any CNAME pointing to that A-record
has the same SPF result with no holes to abuse
the reaosn why you can't have MX and CNAME at the same time has in fact
nothing to do with resolution loops - it's because
the answer would be a split-brain by asking without a specific record type
Re: spf records and cnames
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 21 Oct 2015, at 13:48, btb wrote:
> are spf records allowed to be a cname?
I can't see any reason why they shouldn't be...
> e.g.:
>
> http://dpaste.com/0MR0R3C.txt
>
> is this explicitly addressed in an rfc?
I don't believe so and there's no reason to. CNAME records trump all DNS
record types for a name so it may be usually unwise to have a CNAME
record for a name that is used in email address domain parts, but it
isn't inherently wrong.
A name which is resolved by a CNAME record to a canonical name is
forbidden as the result in MX and NS records to prevent resolution
loops. That rationally SHOULD be banned for CNAME records as well, but
we're decades past the time to argue that.
Re: spf records and cnames
Posted by Benny Pedersen <me...@junc.eu>.
On October 21, 2015 7:49:06 PM btb <li...@bitrate.net> wrote:
> http://dpaste.com/0MR0R3C.txt
https://dmarcian.com/spf-survey/email.instantbusinessresources.com
> is this explicitly addressed in an rfc?
dont know, aslong spf is valid, then its ok
Re: spf records and cnames
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.10.2015 um 19:48 schrieb btb:
> are spf records allowed to be a cname? e.g.:
>
> http://dpaste.com/0MR0R3C.txt
>
> is this explicitly addressed in an rfc?
a CNAME is always followed, hence you can't mix CNAME and other
ressource types, in other words: yes
otherwise you would need a SPF record for any subdomain existing as
CNAME to prevent forged mail with @subdomain.example.com (a proper SPF
suppoting domain has a SPF record for any existing hostname) as envelope
and since "CNAME and others" is not allowed - again: yes
http://www.openspf.org/FAQ/Common_mistakes#helo
[harry@srv-rhsoft:~]$ nslookup access.thelounge.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
access.thelounge.net canonical name = arrakis.thelounge.net.
Name: arrakis.thelounge.net
Address: 91.118.73.6
[harry@srv-rhsoft:~]$ dig TXT access.thelounge.net @8.8.8.8
;; ANSWER SECTION:
access.thelounge.net. 21599 IN CNAME arrakis.thelounge.net.
arrakis.thelounge.net. 21599 IN TXT "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
_______________________________________
what do i mean with "is always followed"?
well, it don't matter for which ressource type you ask, first the CNAME
is resolved and the second DNS request than asks that name for the
record type (in case the CNAME points to a differnet domain not hosted
on the same nameserver it's the clients job to do so because the origin
server won't allow recursion if it is proper configured)
[harry@srv-rhsoft:~]$ dig SPF access.thelounge.net @8.8.8.8
;; ANSWER SECTION:
access.thelounge.net. 21599 IN CNAME arrakis.thelounge.net.
arrakis.thelounge.net. 21599 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
[harry@srv-rhsoft:~]$ dig SPF www.rhsoft.net @8.8.8.8
;; ANSWER SECTION:
www.rhsoft.net. 21599 IN CNAME proxy.thelounge.net.
proxy.thelounge.net. 21599 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"