Gets confused by CNAMEs while parsing SPF records

Bug #954936 reported by Scott Kitterman on 2012-03-14
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyspf (Debian)
Fix Released
Unknown
pyspf (Ubuntu)
High
Unassigned
Lucid
High
Scott Kitterman
Maverick
High
Scott Kitterman
Natty
High
Scott Kitterman
Oneiric
High
Scott Kitterman

Bug Description

Intermediate CNAMEs encountered while parsing SPF records confuse python-spf
into returning a hard error (domain has two or more type TXT spf records) when
really there is no second SPF record, and the existing one is indeed valid.

Discovered while manually looking at the SPF record for
"support.zendesk.com" (which was in turn included by the SPF record for
"dropbox.com"):

 $ /usr/share/pyshared/spf.py support.zendesk.com
 PermError: Two or more type TXT spf records found.

 $ host -t txt support.zendesk.com
 support.zendesk.com is an alias for www.shard-2.int.zendesk.com.
 www.shard-2.int.zendesk.com is an alias for www.pod-1.int.zendesk.com.
 www.pod-1.int.zendesk.com descriptive text "v=spf1 ip4:184.106.12.190
 ip4:173.203.47.176 ip4:173.203.47.177 ~all"

 $ /usr/share/pyshared/spf.py www.pod-1.int.zendesk.com
 v=spf1 ip4:184.106.12.190 ip4:173.203.47.176 ip4:173.203.47.177 ~all

In other words, the SPF record for www.pod-1.int.zendesk.com is valid, and
so is the one for support.zendesk.com, but the (double) indirection via
CNAME(s) causes an error.

The consequence is some domains with valid SPF records are perceived as
having faulty ones, and then depending on how SPF is used on the receiving
end, email messages from the affected domains may be mis-classified as spam
or outright rejected.

TEST CASE: using the existing package, do:

$ /usr/share/pyshared/spf.py cname.kitterman.com

See the error that's generated:
PermError: Two or more type TXT spf records found.

Install the updated packages and repeat:

$ /usr/share/pyshared/spf.py cname.kitterman.com

See that you now get the correct reply:
v=spf1 ip4:72.81.252.18 ip4:72.81.252.19 ip4:208.43.65.50 ip4:72.81.252.20 ?ip4:209.68.4.105 ?include:webmail.pair.com ?include:relay.pair.com -all

Scott Kitterman (kitterman) wrote :

Already fixed in precise.

Changed in pyspf (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Scott Kitterman (kitterman) wrote :

Uploaded for lucid -> oneiric-proposed and verified this is not an issue on hardy.

Changed in pyspf (Ubuntu Lucid):
status: New → In Progress
Changed in pyspf (Ubuntu Maverick):
status: New → In Progress
Changed in pyspf (Ubuntu Natty):
status: New → In Progress
Changed in pyspf (Ubuntu Oneiric):
status: New → In Progress
Changed in pyspf (Ubuntu Lucid):
importance: Undecided → High
Changed in pyspf (Ubuntu Maverick):
importance: Undecided → High
Changed in pyspf (Ubuntu Natty):
importance: Undecided → High
Changed in pyspf (Ubuntu Oneiric):
importance: Undecided → High
Changed in pyspf (Ubuntu Lucid):
milestone: none → lucid-updates
Changed in pyspf (Ubuntu Maverick):
milestone: none → maverick-updates
Changed in pyspf (Ubuntu Natty):
milestone: none → natty-updates
Changed in pyspf (Ubuntu Oneiric):
milestone: none → oneiric-updates
Changed in pyspf (Ubuntu Lucid):
assignee: nobody → Scott Kitterman (kitterman)
Changed in pyspf (Ubuntu Maverick):
assignee: nobody → Scott Kitterman (kitterman)
Changed in pyspf (Ubuntu Natty):
assignee: nobody → Scott Kitterman (kitterman)
Changed in pyspf (Ubuntu Oneiric):
assignee: nobody → Scott Kitterman (kitterman)
Changed in pyspf (Debian):
status: Unknown → Fix Released

Hello Scott, or anyone else affected,

Accepted pyspf into lucid-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pyspf (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in pyspf (Ubuntu Maverick):
status: In Progress → Fix Committed
Clint Byrum (clint-fewbar) wrote :

Hello Scott, or anyone else affected,

Accepted pyspf into maverick-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pyspf (Ubuntu Natty):
status: In Progress → Fix Committed
Clint Byrum (clint-fewbar) wrote :

Hello Scott, or anyone else affected,

Accepted pyspf into natty-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pyspf (Ubuntu Oneiric):
status: In Progress → Fix Committed
Clint Byrum (clint-fewbar) wrote :

Hello Scott, or anyone else affected,

Accepted pyspf into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Scott Kitterman (kitterman) wrote :

Need to find a different domain for the test. support.zendesk.com no longer uses a CNAME.

I set up cname.kitterman.com to recreate the conditions needed to demonstrate
the bug and the fix. Use that instead.

Scott Kitterman (kitterman) wrote :

Verified all (lucid, maverick, natty, oneiric) work with the archive built packages.

tags: added: verification-done
removed: verification-needed
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pyspf - 2.0.5-2ubuntu10.04.0

---------------
pyspf (2.0.5-2ubuntu10.04.0) lucid-proposed; urgency=low

  * Fix issues with false error generation due to CNAMES (LP: #954936
 -- Scott Kitterman <email address hidden> Wed, 14 Mar 2012 07:44:11 -0400

Changed in pyspf (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pyspf - 2.0.5-2ubuntu10.10.0

---------------
pyspf (2.0.5-2ubuntu10.10.0) maverick-proposed; urgency=low

  * Fix issues with false error generation due to CNAMES (LP: #954936
 -- Scott Kitterman <email address hidden> Wed, 14 Mar 2012 07:44:11 -0400

Changed in pyspf (Ubuntu Maverick):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pyspf - 2.0.5-3ubuntu0.1

---------------
pyspf (2.0.5-3ubuntu0.1) natty-proposed; urgency=low

  * Fix issues with false error generation due to CNAMES (LP: #954936
 -- Scott Kitterman <email address hidden> Wed, 14 Mar 2012 07:42:43 -0400

Changed in pyspf (Ubuntu Natty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pyspf - 2.0.5-5ubuntu0.1

---------------
pyspf (2.0.5-5ubuntu0.1) oneiric-proposed; urgency=low

  * Fix issues with false error generation due to CNAMES (LP: #954936)
 -- Scott Kitterman <email address hidden> Wed, 14 Mar 2012 07:39:05 -0400

Changed in pyspf (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.