Re: DNS lookup limit?

Radu Hociung wrote:

Let's call the real limit of spf-classic-00 *DoS limit*.


Be careful with that, IIRC t-online.de really has 8 MXs, and
the per-user-policies of spf.pobox.com allowed all users to
create their very own PermError with a single DNS mechanism ;-)

So the "DoS limit" is already very restrictive.  Of course
you're free to abort an SPF evaluation after reaching smaller
limits, Stuart mentioned 50 queries in his example.  In fact
you're free to use a limit zero without any SPF evaluation,
or a limit one "if it has a SPF policy I (don't) reject it".

But these locally defined smaller limits or the old optional
overall timeout should not be handled like the "DoS limits".

If a sender policy like rr.com or the old pobox.com policy
hits the DoS limit, it's _invalid_ - like a syntax error.

If it hits your local limits then that's only your personal
"receiver policy", maybe treat it like a result "none", or
report an error "5xx go away, your SPF policy sucks".  But
don't claim that the policy is incorrect in that case, it's
not.

Wayne introduced the concept of "validating implementations"
in his draft.  That's a very good idea, if all conforming
implementations use the same definition of "valid".  But it
won't work if you'd report your personal limits as "invalid".

For all practical purposes, it currently stands at 111.


It's the worst case with one sender policy + 10 mx (or ptr)
mechanisms, each with exactly 10 (the maximum) names.

If you'd apply Stuart's old local limit of 50 queries on the
rr.com sender policy, you'd get a PermError after 39 queries
without hitting Stuart's old local limit.

how many lookups should be reasonably needed to *reliably*
prove authenticity? I think no more than 10. this is the
number that will cause infrastructure adjustments.


You should check such assumptions against existing policies.
RR and POBOX had reasons for their policies.

If RR now removes all redudant mx mechanisms, they also lose
some flexibilty, and they have to be very careful if they plan
to add new MXs with IPs not covered by a policy without these
mx mechanisms.

If POBOX removes per-user-policies they lose a major feature.
OTOH a showcase with an invalid SPF policy makes no sense. ;-)

                        Bye, Frank

<Prev in Thread]	Current Thread	[Next in Thread>
RE: DNS lookup limit?, (continued) RE: DNS lookup limit?, Julian Mehnle Re: DNS lookup limit?, Radu Hociung Re: DNS lookup limit?, Radu Hociung Re: DNS lookup limit?, Frank Ellermann Re: Re: DNS lookup limit?, Radu Hociung Re: DNS lookup limit?, Frank Ellermann Re: Re: DNS lookup limit?, Radu Hociung Re: Re: DNS lookup limit?, Nico Kadel-Garcia Re: Re: DNS lookup limit?, Radu Hociung Re: Re: DNS lookup limit?, Nico Kadel-Garcia Re: DNS lookup limit?, Frank Ellermann <= Re: Re: DNS lookup limit?, Radu Hociung Re: Re: DNS lookup limit?, Alex van den Bogaerdt Re: Re: DNS lookup limit?, Radu Hociung Re: Re: DNS lookup limit?, Alex van den Bogaerdt Re: Re: DNS lookup limit?, Radu Hociung Re: Re: DNS lookup limit?, Alex van den Bogaerdt Re: Re: DNS lookup limit?, Radu Hociung Re: DNS lookup limit?, Frank Ellermann Re: Re: DNS lookup limit?, Radu Hociung Re: DNS lookup limit?, Frank Ellermann