How many CNAMEs should an SPF implementation follow before returning
PermErr? SHould each CNAME link count as a DNS lookup for the overall
lookup limit? A quick example to make sure we're on the same page:
loop.example.com IN CNAME loop.example.com.
Now, we *could* keep a stack and follow chains of arbitrary depth
while detecting infinite loops. However, that still makes a CNAME
DOS attack trivial:
evil0.example.com IN CNAME evil1.example.com.
evil1.example.com IN CNAME evil2.example.com.
evil2.example.com IN CNAME evil3.example.com.
...
evil99999.example.com IN CNAME evil0.example.com.
An algorithmic DNS server will greatly aid the attacker :-)
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.