Scott Kitterman
2012-07-14 01:28:22 UTC
I'm forwarding two messages (see below) for the SPFbis mailing list. I think
it would be useful to have test cases in the test suite that caught potential
issues like are described below. I'm pretty busy being editor of the 4408bis
at the moment, so I'd appreciate it if some of you could consider this and
make specific proposals for additional tests in the test suite to accommodate
this concern.
http://www.openspf.org/Test_Suite
Scott K
---------- Forwarded Message ----------
Subject: Re: [spfbis] SPF and EAI
Date: Friday, July 13, 2012, 09:27:18 PM
dorky-sentinel with a space in a local part, although it's not obvious
to me what the correct answer is supposed to be, one called
upper-macro that tests that upper cased macros do percent encoding,
and invalid-domain-long-via-macro which checks for a macro expansion
that creates an excessively long domain name. There's also a bunch of
other tests that check that macros do what they're supposed to with
normal input.
Other than the one about the space, I don't see any tests for what
happens if the text being expanded contains unexpected hostile
characters.
---------- Forwarded Message ----------
Subject: Re: [spfbis] SPF and EAI
Date: Saturday, July 14, 2012, 01:02:59 AM
potential characters that should be prohibited from SPF records generally due
to security considerations, I think we should address it in the draft.
It's not characters in SPF records, it's characters in SMTP bounce addresses.
Try some records with %s and %l, and bounce addresses that contain 0x04, 0x1a,
0xa0 and other characters most DNS software doesn't expect.
it would be useful to have test cases in the test suite that caught potential
issues like are described below. I'm pretty busy being editor of the 4408bis
at the moment, so I'd appreciate it if some of you could consider this and
make specific proposals for additional tests in the test suite to accommodate
this concern.
http://www.openspf.org/Test_Suite
Scott K
---------- Forwarded Message ----------
Subject: Re: [spfbis] SPF and EAI
Date: Friday, July 13, 2012, 09:27:18 PM
Fortunately, the situation is different now. You can go to
http://www.openspf.org/Test_Suite and get a copy of a comprehensive test
suitehttp://www.openspf.org/Test_Suite and get a copy of a comprehensive test
that is believed to cover all the RFC 4408 requirements.
I took a look. With respect to macros, it has one test calleddorky-sentinel with a space in a local part, although it's not obvious
to me what the correct answer is supposed to be, one called
upper-macro that tests that upper cased macros do percent encoding,
and invalid-domain-long-via-macro which checks for a macro expansion
that creates an excessively long domain name. There's also a bunch of
other tests that check that macros do what they're supposed to with
normal input.
Other than the one about the space, I don't see any tests for what
happens if the text being expanded contains unexpected hostile
characters.
---------- Forwarded Message ----------
Subject: Re: [spfbis] SPF and EAI
Date: Saturday, July 14, 2012, 01:02:59 AM
Should be easy enough to add. What would you consider hostile?
I ask, not just because of the test suite, macro question, but if there arepotential characters that should be prohibited from SPF records generally due
to security considerations, I think we should address it in the draft.
Try some records with %s and %l, and bounce addresses that contain 0x04, 0x1a,
0xa0 and other characters most DNS software doesn't expect.