wayne wrote:
I think allowing 20 DNS lookups is still far too many. How long would
20 DNS lookups take? Even if they are only 100ms each (50ms to the
DNS server, 50ms back), we are talking about 2 seconds to process a
single SPF check. If you consider that all too many DNS lookups are
more in the range of 200-600ms, you are talking about some serious
delays here.
I agree with this, 20 lookups seems a bit excessive.
Can you give an example where a SPF publisher really *needs* to use
more than 4 lookups to someplace external to the domain being checked
or 8 lookups total?
I think a better question may be, "Can you give an example where a SPF
publisher really needs to redirect externally that would in turn
redirect somewhere else". I think perhaps the recursion-depth should be
limited as well as or instead of the number of queries. If you as a
publisher redirect your queries to a 3rd party, that 3rd party should
not be able to redirect queries elsewhere; the publisher should
redirect to something that will authoritatively answer the query. I
think the client should follow a single redirect and then answer
'unknown' if it is asked to redirect again.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com