In <4173C9AE(_dot_)284B(_at_)xyzzy(_dot_)claranet(_dot_)de> Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:
Incomplete list of requested changes:
Three comments:
3 - "security considerations"
- at most 10 directives (excl. ip4/ip6) [me]
The limit on 10 mechanisms has been in libspf2 since day one and was in
the initial release of draft-schlitt-spf-00 in section 7.2 "Process
limits", near the top. So, obviously, I completely agree with this.
- at most 5 MX + 5 PTR + 10 check_host() [Wayne]
In my lastest version, I've removed the 10 check_host() limit since
the 10 mechanism limit makes it completely redundant.
The limits on MX and PTR RR lookups is 10, not 5. My initial limits
in libspf2 were 5, but after carefully studying the actual bandwidth
usage in DoS scenarios, I found that the limit could safely be raised
to 10. 10 is also conviently around the maximum number of these RRs
that can put in a UDP DNS packet.
4 - "zone cut"
- copy Randy Bush's "zone cut" algorithm from RfC 2181
I think it is much better to have a reference to RFC2181 rather than
to duplicate the doc. If/when RFC2181 gets updated, we will want to
follow the latest zone-cut spec.
-wayne