In <20031218212908(_dot_)GO31242(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng
Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
On Wed, Dec 17, 2003 at 07:47:11PM -0600, wayne wrote:
|
| I propose that there should be a limit of, say, 4-8 DNS queries in
| toto, for all levels of includes and redirects.
Proposed change to the RFC text:
An SPF query may trigger subqueries due to includes and redirects. If
more than a total of 20 subqueries are triggered, an SPF client MAY
abort the lookup and return an unknown result.
Regular lookups such as A and MX queries do not count toward this total.
I think allowing 20 DNS lookups is still far too many. How long would
20 DNS lookups take? Even if they are only 100ms each (50ms to the
DNS server, 50ms back), we are talking about 2 seconds to process a
single SPF check. If you consider that all too many DNS lookups are
more in the range of 200-600ms, you are talking about some serious
delays here.
What we have here is yet another balancing act. For publishers of SPF
records, we want to allow lots of flexibility. However, to people
checking SPF records, we have to minimize the cost. Moreover, we must
prevent innocent third parties from being abused.
20 DNS lookups, especially when you exclude A and MX requests, is just
far too large an amplification factor.
Can you give an example where a SPF publisher really *needs* to use
more than 4 lookups to someplace external to the domain being checked
or 8 lookups total?
And, on this subject, why is the "a" record recommend in the by the
SPF wizards? Shouldn't the default almost always be "v=spf1 mx -all"
if the domain has any MX records?
| toto, for all levels of includes and redirects. SPF implementations
| MUST NOT query more than this. I also think there should be a limit
| to the number of bytes that will be parsed, and that limit be
| something like 512-2048.
I think there needs to be a limit on the total number of bytes also.
People who check SPF records need to be certain that the process
*will* halt in a reasonable amount of time.
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡