Mark Lentczner wrote:
For now, I suggest that this be the normative reference
ACK. But "we" (= you ;-) can still try to add some of Wayne's
points. His idea about limiting DNS queries makes sense for me,
but maybe his proposed solution was a bit too complex.
In essence it's possible to get rid of the SPF DDoS scenario
in the "security considerations" completely:
- remove the overall (optional) evaluation timeout (7.2)
- remove the DDoS disclaimer in "security consideration" (10)
- remove the limit "ten check_host() evaluations" (7.2)
Replace all this stuff by a new limit of evaluated directives.
The exact number to be determined, let's say 10 for the moment,
each a / mx / ptr / include or redirect= counted as "one step",
ignoring ip4 / ip6 / all.
Define it as hard limit: "Each sender policy MUST reach a
final 'all' directive after at most 10 evaluated directives
resulting in any DNS query. Otherwise the result is PermError"
With this hard limit tools like the wizard could automatically
detect invalid sender policies. Unlike vague global timeouts
this evaluation limit works reliably. All timeout problems in
SPF are then caused by DNS, and independent of the check_host()
implementation.
A single simple limit is IMHO better than Wayne's idea of many
individual limits, although mx / ptr can be much more expensive
than any a / include / redirect=.
10 directives in Wayne's "13 MX" example still results in 130
DNS queries. But 10 check_host() evaluations as in the current
draft could be almost anything, e.g. 10 * 20 * 13 queries, and
that's too much. Aborting 2600 DNS queries after 20 seconds
doesn't help for the victim, if these queries are triggered by
say 200,000 DDoS spam mails.
Bye, Frank