What is the possibility that an attacker could list a (SID|SPF) record
with references to ~thousands of domains, forcing my SMTP server to spend
large amounts of time and/or processing power validating the junk data?
What other similar kinds of attacks are enabled by infinite extensibility?
There is also still the argument that 513-byte records affect a DDoS
attack against my domain.
The more I think about this, the less I think that extensibility is a good
idea in general. I actually think that constraining the authorization data
to addresses, mx, and domains is probably best, and requireing everything
else go into an external policy document that I will only check in certain
other cases.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/