spf-discuss
[Top] [All Lists]

Re: Publishing of SPF Records

2004-04-16 19:30:03
On Thu, 2004-04-15 at 04:56, Stefan Engelbert wrote:

I was wondering if SPF could be used by Domain owners which dont have
access to to their DNS Servers.

It could.  In fact, its a pretty cool idea.  I'm all for anything that
would help further SPF deployment.  However, there is an obscene amount
of overhead in using TCP, (40 bytes as opposed to UDP's 28) in addition
you must also factor in HTTP overhead, as well as dealing with the fact
that TCP has to negotiate to establish a connection, where as UDP is
fire and forget.

Why is publishing sticking so strictly to DNS? If http publishing would
be allowed as well lots of lowcost Domain owners would be able to publish 
their records.

As was pointed out by others from this list, TCP connections are
extremely expensive compared to UDP.  

Already as it is we have:

DNS Question: TXT? rhost.tld
DNS Answer: TXT "v=spf1 mx ptr a:domain.somehost.tld ?all"
SPF Parse: ...
 - fail?
 |- TRUE - best_guess();
 : - fail?
 : |- TRUE - trusted_forwarder();
 : : - fail?
 : : |- TRUE - caller_id();
 : : : - fail?
 : : : |- TRUE - return_result(res);
 : : : |- FALSE - return_result(res);
 : : |- FALSE - return_result(res);
 : |- FALSE - return_result(res);
 | - FALSE - return_result(res);

Each of those additional function calls means looking up more records. 
It becomes very expensive in terms of time and this is only further
compounded by using an expensive protocol like TCP, when we don't need
any of the functionality it offers.

I took the SPF record from my primary domain uhfco.net and placed it
into a text file and hosted it on my webserver.  I then grabbed it and
compared it against the SPF (TXT) DNS query.  The tally includes packet
overhead for both protocols:

HTTP (TCP):
-----------
Packet count: 10
Bytes of traffic: 1191

DNS (UDP):
----------
Packet count: 2
Bytes of traffic: 132

1191/132 = 9.02 or 9x more data than a DNS query.

This is precisely why UDP still sees extensive use, keeping in mind of
course, the above test isn't fair to TCP since we must also factor in
the HTTP overhead in that small transaction.  UDP is a very "cheap"
protocol in terms of overhead, and is perfectly suited to what we're
doing.

Like I said, its a great idea, but not really a smart mode given how
much faster UDP is.  Although, you could talk to Microsoft.  They seem
to really enjoy adding bloat wherever they can.  CID wraps a query
language in XML and stuffs it in a DNS record.  Lovely.  In addition to
likely causing DNS servers to desire TCP transfer modes you have to deal
with the fact that many servers still refuse TCP 53 because its primary
use is for Zone Transfers.  So now you're wasting even more time trying
to negotiate a TCP session and having to fall back to UDP.  Bleck.

Cheers,

James

-- 
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scehem library
-----------------------------------------------------------------
PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3


<Prev in Thread] Current Thread [Next in Thread>