spf-discuss
[Top] [All Lists]

RE: Length of txt records

2004-06-21 15:02:26
 
[Wayne]
The limit on UDP packets for DNS is 512 bytes, but the overhead from
UDP and DNS must be taken into account.  This is a hard-coded limit
built into most DNS servers and the fact that UDP packets in general
can be larger doesn't help.

RFC-2671 is labeled as standards track, isn't it? I believe all recent
versions of BIND support UDP packets larger than 512 bytes, as do
Microsoft DNS servers. Although I think the whole OPT record thing is
hackish, it does appear to have the support of ISC and the IETF, and
should already be widely deployed.

If the DNS packet is too large, most DNS servers will try to fall back
to sending the information via TCP.  This has two huge problems.
First, using TCP is far more expensive, and the fallback occurs only
after you have wasted time trying to use UDP.  Secondly, many
firewalls block DNS over TCP.  Yes, these firewalls are broken, but
they are too common to ignore.

Which is sort of why I think using DNS for SPF records was a lamentable
but necessary decision in the first place. Yes, DNS is an
already-available distributed database with caching. And yes, DNS does
carry our MX data, so having "reverse MX data" like SPF seems logical
and symmetric. 

The problem is that SPF is attempting to store *policy* in DNS, not just
"reverse MX" records. That policy is a set of descriptive instructions -
a script. Policies can become arbitrarily large and convoluted,
depending on who is writing the policy. Witness the U.S. tax code. Heck,
some organizations might even want the policy to change based on who is
inquiring about it, or where they are inquiring from. The DNS
infrastructure wasn't designed for this. Obviously SPF-in-DNS is
efficient for small records, but it does not scale well to complex
policies and large organizations. The Exists mechanism is a great idea,
but you need a custom resolver.

Of course, creating a new, multi-master distributed database
infrastructure to store SPF records is a non-starter. SPF deployment
would still be near zero if we all had to set up a special SPF server
and manage it. It would be great to rip out SMTP and DNS and replace
them with something without their known limitations, but it will not
happen soon, if ever.

All this sort of makes me sad, and I lose my enthusiasm for the Internet
in general. I fear we may be closing our networks into trusted clusters
of organizations a few years from now, defending ourselves from SPAM,
DDOS attacks, etc. 

It is remarkable how prescient and effective many of the Internet's
designers were, and how well the infrastructure has held up. But are we
ever going to be able to replace the broken parts of the Internet? Or
will assumptions made back in the 1970s haunt us until the Internet
loses its utility? Won't we have to "fish or cut bait" at some point and
simply introduce new, fixed protocols that supplant older ones but are
not entirely compatible? If so, is that time upon us, and is SPF a
vehicle with enough support to start the process?

Anyway, I apologize in advance for all the philosophy, I sometimes get
depressed by intractable problems.
        Ryan

=========================
All problems can be solved by diplomacy, but violence and treachery are
equally effective, and more fun.
      -Anonymous


<Prev in Thread] Current Thread [Next in Thread>