----- Original Message -----
From: "jpinkerton" <johnp(_at_)idimo(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
What is a parent of "my.very.long.domain.example.com"?
If you say its "example.com", how are going to decide when you see
"my.very.long.domain.example.co.uk" ?
Can you not use multiple wildcards -
*.example.com
*.*.example.com
*.*.*.example.com
etc. ad nauseum?
I. There can be only one wildcard under the domain, i.e. *.example.com
will reach anything below and its not necessary to do *.*.example.com
so please don't do examples as above
II.If the question is really can you ask SPF validating agent who needs to
find about "my.very.long.domain.example.co.uk" to do lookup as follows:
1. my.very.long.domain.example.co.uk
2. very.long.domain.example.co.uk
3. long.domain.example.co.uk
4. domain.example.co.uk
5. co.uk
The result will be large number of dns lookups that are necessary
(leading "ad nauseum" ..) and still its not precisely clear where to
stop. As you can see from above the stop should be at #4, but if
domain owner failed to put SPF record on #4, you will end up going
to co.uk leading to overloading CCTLD dns server with bogus queries
(and if I were co.uk operator I would get mad as hell ...).
Additionally the above opens up number of interesting and DoS
possibilities giving the attacker a "low-cost" option of how to
cause victim to perform queries in the 10 times or more in numbers
then what it attacker himself did.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net