[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David
Sent: Wednesday, March 23, 2005 2:20 PM
Subject: [spf-discuss] Response to DDoS using SPF
The responses I've seen suggested so far include:
1) Use of pre-compiled SPF records to avoid recursive lookups.
2) Responding to an authentication query with an immediate Pass
or Fail, no
lookups at all.
Make sure that the processing limits defined in the SPF draft are reasonable
low to minimize the risk of this problem.
The changes could include:
1) Running a daemon on DNS servers that would, maybe once per hour,
re-compile the SPF record for the entire domain.
Much like the idea of dynamic DNS, but you have to be willing (if the record
crosses administrative boundaries) to be somewhat wrong for a period of
2) Adding an IP address to authentication queries, allowing *all* SPF
processing to be done by the sender's domain.
At this point, it's really not SPF anymore, it's a different design.
I would exepect that a prudent designer might put load limits into their SPF
checking program, so that if a DDoS attack were detected, SPF checking could
be suspended for a period of time.
Whether any of these changes should be done now, depends on how difficult
it is to implement a change. I would like to see some discussion on that.
Whatever changes we make, they should be presented not as "Oops,
we made a
mistake." but rather, "Here is the next upgrade, just for those that need
it. If you are not sure you need it, don't worry, it will be easy to add
later." I think SPF is past the point where to get it accepted,
nothing can be changed in the DNS servers.
I think it's past the point where one might say, "If you make this change to
DNS, then SPF would be better..."
It's not past the point where we could say, "You MUST make this change to
DNS to make SPF work..."
I'm all for trying to figure out how to make it better, just don't announce
that the internet is going to melt if we don't change X.