spf-discuss
[Top] [All Lists]

Re: Re: It's published!

2004-10-17 11:33:53
In <41724D19(_dot_)434(_at_)xyzzy(_dot_)claranet(_dot_)de> Frank Ellermann 
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:

Define it as hard limit:  "Each sender policy MUST reach a
final 'all' directive after at most 10 evaluated directives
resulting in any DNS query.  Otherwise the result is PermError"

[...]
A single simple limit is IMHO better than Wayne's idea of many
individual limits, although mx / ptr can be much more expensive
than any a / include / redirect=.

The intent of my limits is to do basically what you say:  Domain
owners can count the number of mechanisms and tell if they are within
the limits.

The limits that I placed on MX and PTR lookups is something I doubt
that will cause any practical problems.

While it is somewhat common to have more than 10 incoming MTAs (AOL,
Yahoo, etc. have hundreds), this is generally done by creating many A
records for each MX domain name, rather than creating many different
MX domain names each with only one A record.  For example, AOL only
has 4 MX records, gmail only has two.

The limit of checking only 10 MX records not only prevents the DDoS
amplification factor from being too large, but you also can't fit much
more than 10 MX records in a single UDP DNS packet.  People who do
sensible stuff simply won't run into problems.  With the limits,
people who don't do sensible stuff won't cause problems.


With the PTR checks, it is important to remember that djbdns and,
IIRC, MS's DNS server both automatically add PTR records for each A
record.  So, if you are a web hoster with 1000 virtual domains all
served by the same machine, you can easily have 1000 PTR RRs.

Now, in legitimate situations, all of those PTR references should work
equally well for the SPF ptr: mechanism since they all point back to
the same machine.  In the case of forged email, none of them will
work.  So, again, it will be very rare for domain owners to even have
to know of this limit.


The limits are fairly easy for domain owners to understand and I think
that is the most important thing.

The limits I've specified in the spec are the limits that have been in
place in libspf2 for many months now.  The code was trivial to add for
me, and I suspect it will not be hard for anyone else.

The limits look messing in the spec.  I don't care about that, as long
as it is easy for domain owners and safe for the Internet.


                  Aborting 2600 DNS queries after 20 seconds
doesn't help for the victim, if these queries are triggered by
say 200,000 DDoS spam mails.

Right, and if these 2600 DNS queries are done in parallel (as
recommended by many people, especially the Spamassassin folks), then
the victim can easily be be hit with the full impact of the DDoS
attack. 


-wayne


<Prev in Thread] Current Thread [Next in Thread>