bwbroersma
commented
1 week ago I think you mean to refer to:
-
1336
Which is in milestone v1.9, while:
-
286
Was already released in v1.7.
Open apio-sys opened 2 weeks ago
bwbroersma
commented
1 week ago I think you mean to refer to:
Which is in milestone v1.9, while:
Was already released in v1.7.
apio-sys
commented
1 week ago Thanks for your reply. If that was already in 1.7 I should also have it in my fork of main (correct?) but my result shows wrongly as > 10 DNS lookups here https://fr.conformite-internet.fr/mail/developpement-durable.gouv.fr/62/#mailauth where I only count 6 lookups. In production I don't have the alert https://internet.nl/mail/developpement-durable.gouv.fr/1271656/#control-panel-11 but the table of lookups doesn't show either hence I thought that it would be included in 1.9 only. So my question remains, how come current main has an incorrect lookup count?
bwbroersma
commented
1 week ago I see the same on our internal dev version (on https://github.com/internetstandards/Internet.nl/commit/4ceeabadcc11b2a06374310b6b598b25c971dde2). The behavior seems to be correct: I count 12, but the table can be more clear about it.
See RFC 7208 - § 4.6.4. DNS Lookup Limits:
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.
$ dig +noall +answer developpement-durable.gouv.fr MX
developpement-durable.gouv.fr. 23988 IN MX 5 relternet-01.developpement-durable.gouv.fr.
developpement-durable.gouv.fr. 23988 IN MX 10 cs.relternet-01.developpement-durable.gouv.fr.
developpement-durable.gouv.fr. 23988 IN MX 10 ca.relternet-02.developpement-durable.gouv.fr.
developpement-durable.gouv.fr. 23988 IN MX 5 relternet-02.developpement-durable.gouv.fr.
developpement-durable.gouv.fr. 23988 IN MX 10 cs.relternet-02.developpement-durable.gouv.fr.
developpement-durable.gouv.fr. 23988 IN MX 10 ca.relternet-01.developpement-durable.gouv.fr.Since this MX has 6 records, it will need another +6 DNS lookups.
Note that some tools like Easy DMARC under and over count, e.g. see Easy DMARC developpement-durable.gouv.fr which counts 6 (while it is 12, so under counts) and Easy DMARC rijksoverheid.nl says 14 while it is 9 (so over counts). Others that under count are:
apio-sys
commented
1 week ago Thanks for the detailed explanation! Indeed I counted 6 "manually" but didn't look at the MX records which explains the 12 and hence the > 10 warning/error. So that means, the main branch is doing this correct (and thus my fork running off it), but the production 1.8.6 is still undercounting (until this pushes in 1.9 then as I understand).
bwbroersma
commented
1 week ago It should be good to include this count in the table, so these (valid) questions don't occur when this is live. Especially since all these other tools under count the DNS lookups.
apio-sys
commented
1 week ago Indeed that would be great, otherwise we would get returns like "but it works on MXToolbox" or whatever other "trusted" tool and a table showing the lookups actually counted will clarify it instantly. Happy to keep testing on main before it gets pushed out of course.
The Check for max of 10 DNS lookups in SPF test seems already treated in #286 and marked for milestone 1.9 so not visible in current production. Since I used the main branch for my dev setup, I should already see the results. And indeed when checking this domain: https://fr.conformite-internet.fr/mail/developpement-durable.gouv.fr/62/#mailauth I have different results than Internet.nl prod. However this may be a false positive. Internet.nl seems wrong since only reading the domains direct SPF
v=spf1 mx include:_spf.developpement-durable.gouv.fr -alland not drilling down in the include lookups. My setup seems to look at the included records but I think it flags this abusively as over 10 DNS. If I count them manually while drilling down, I find:Ie. 6 lookups in total. I think it is not working as supposed yet in main so it might be worth to recheck this before pushing it to 1.9.