-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 18 December 2003 01:47, wayne wrote:
Currently, the SPF spec says that a conforming implementation must
support include recursion depths of at least 10. I think there needs
to be much tighter limits placed on this.
Hi Wayne, I've noticed this too, but I think it's a symptom of SPF copying
some design mistakes in DNS as a whole: namely the tendency by admins (and
sometimes encouragement by software design) to points names at names, and not
at IPs.
The most reliable SPF records are going to be those referencing *only* ip4 and
ip6 ranges: no includes, no mx, no redirect, no ptr since this will be
handled more reliable by the server software than by clients. And these are
going to be the records that 99% of domains can serve up without need for
further queries. There seems to be a lot of complexity added to the record
format to cover a very small percentage of cases.
This is relative, the macros and so on are not hard to code by all accounts,
but the DoS potential is a symptom of this complexity.
Regarding the proposed RFC change:
An SPF query may trigger subqueries due to includes and redirects. If
more than a total of 20 subqueries are triggered, an SPF client MAY
abort the lookup and return an unknown result.
I don't think it's strong enough; why encourage people to create chains of
subqueries when the DNS server has all the requisite data to avoid serving
indirections in the first place? I think this advice should be reflected in
the notes for include and redirect; will come up with a further proposed
amendment if anyone agrees...?
cheers,
- --
Matthew Bloch Bytemark Hosting
tel. +44 (0) 8707 455026
http://www.bytemark-hosting.co.uk/
Dedicated Linux hosts from 15ukp ($26) per month
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/4i2IT2rVDg8aLXQRApTGAJ90NNiFG35nDYeL/uWaFkEF9+yxkQCeKE1Q
MBsisI+a37vZtFFlPP4mQx4=
=TuoN
-----END PGP SIGNATURE-----
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com