CNAME limit

How many CNAMEs should an SPF implementation follow before returning
PermErr?  SHould each CNAME link count as a DNS lookup for the overall
lookup limit?  A quick example to make sure we're on the same page:

loop.example.com        IN CNAME        loop.example.com.

Now, we *could* keep a stack and follow chains of arbitrary depth
while detecting infinite loops.  However, that still makes a CNAME
DOS attack trivial:

evil0.example.com       IN CNAME        evil1.example.com.
evil1.example.com       IN CNAME        evil2.example.com.
evil2.example.com       IN CNAME        evil3.example.com.
...
evil99999.example.com   IN CNAME        evil0.example.com.

An algorithmic DNS server will greatly aid the attacker :-)

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

<Prev in Thread]	Current Thread	[Next in Thread>
CNAME limit, Stuart D. Gathman <= Re: CNAME limit, william(at)elan.net Re: CNAME limit, Stuart D. Gathman RE: CNAME limit, Scott Kitterman RE: CNAME limit, Stuart D. Gathman RE: CNAME limit, Scott Kitterman RE: CNAME limit, Stuart D. Gathman Re: CNAME limit, wayne Re: CNAME limit, wayne Re: CNAME limit, Stuart D. Gathman

Previous by Date:	Re: Enon.com Customer SPF Records Being Fixed, wayne
Next by Date:	Re: CNAME limit, william(at)elan.net
Previous by Thread:	Enon.com Customer SPF Records Being Fixed, Craig Whitmore
Next by Thread:	Re: CNAME limit, william(at)elan.net
Indexes:	[Date] [Thread] [Top] [All Lists]