On Tue, 2005-06-21 at 22:04 +0000, John Levine wrote:
If we only permit one SRV record, the typical case takes one lookup,
the worst case is two. If we permit multiple SRV, hostile senders
can make lookups arbitrarily slow,
No. If we permit an infinite number of SRV records, then hostile senders
can make lookups arbitrarily slow. If we permit a maximum of N records,
then hostile senders can make lookups only N times as slow as they can
e.g., what does your implementation
do with this?
It takes about 20 seconds to say:
550 CSV result: CSA records do not include 2001:8b0:10b:1::1
If you included only _one_ of those SRV records, then it'd still take a
If we permit multiple RRs, we'll have to add "too slow" heuristics
like SPF does. Blech.
If we permit an infinite number, we might. A limit could be imposed
which is larger than one, though.
What are the semantics of multiple SRVs? If they all have the same
numbers and they're all 1 2 0 or all 1 2 1, we probably agree that we
take the union of the addresses in the A records as the set of
authorized addresses. But what do all of the other permutations mean?
Some are obvious, others can be forbidden and result in an error. It
isn't particularly complicated.