spf-discuss
[Top] [All Lists]

Re: DNS lookup limit?

2005-02-27 00:20:23
Radu Hociung wrote:

Do you see a problem with accumulating query counts across
the entire SPF record evaluation process ?

If all conforming implementations use the same limits, it's
fine, they would then agree on a "Permerror" for the sender
policy.  It's even possible to integrate these limits in a
"SPF validator" or "SPF setup wizard".

If different implementations use different limits it's a
royal PITA, sometimes the Sender get's a PermError, but
with other recipients the very same IP has other results.

spf-classic-00 has three limits:  Up to 10 DNS mechanisms
(a / ptr / mx / include / exists / redirect=), counted 
over the complete evaluation, that's a MUST.

Each mx / ptr / %p has its own limit of 10 MXs or 10 PTRs,
also a MUST.  If you _add_ all MX queries for different
mx mechanisms, you get completely different results.

IMHO that's a very bad idea.  In Stuart's example you get
a PermError for or after the include:southeast.rr.com, but
a conforming implementation would continue its evaluation
up to include:rdc-kc.rr.com (see my parallel reply).  Bye.



<Prev in Thread] Current Thread [Next in Thread>