Seth Goodman wrote:
Wayne has brought up that issue repeatedly and his warnings
have fallen largely on deaf ears.
He addreses it in draft-schlitt-01, grep for the magic "10":
Page 19 (mx) :
"a limit of 10 MX names MUST be enforced"
Page 20 (ptr):
"a limit of 10 PTR names MUST be enforced" [...] "if more
than 10 sending-domain_names are found, use at most 10.
Page 26:
"SPF implementations MUST limit the number of mechanisms that
do DNS lookups to at most 10." [...]
"When evaluating the "mx" mechanism, there MUST be a limit of
no more than 10 MXes looked up and checked for matching IP
addresses".
"When evaluating the "ptr" mechanism or the %{p} macro, there
MUST be a limit of at most 10 PTR DNS records looked up and
checked for a validated domain name."
There's also a section in chapter 10 (security considerations)
about this. IMHO the part about an optional overall timeout of
at least 20 seconds is now useless and should be deleted.
Any redirect= should be counted towards the magical "10", they
do not want to evaluate something like...
a.example. IN SPF "v=spf1 redirect=b.example"
b.example. IN SPF "v=spf1 redirect=a.example"
..."forever" (or for 20 seconds), it's enough after 5 + 5 = 10
redirections.
I suspect there are rational ways to deal with that problem
See above, the other "magical number" is 512 ;-) Bye, Frank