Re: Re: DNS lookup limit?

Frank Ellermann wrote:

Radu Hociung wrote:

Let's call the real limit of spf-classic-00 *DoS limit*.


Be careful with that, IIRC t-online.de really has 8 MXs, and

That's fine. By publishing "v=spf1 ip4:..." they would save the worldand themselves lot of resources.

the per-user-policies of spf.pobox.com allowed all users to
create their very own PermError with a single DNS mechanism ;-)

If a sender policy like rr.com or the old pobox.com policy
hits the DoS limit, it's _invalid_ - like a syntax error.

The pobox.com record needs between 3 and 23 queries plus whatever theper-user records require. The full SPF record resolves to a list of 18IP addresses, plus whatever the per-user policies allows. Not one of the18 IP addresses is outside the pobox.com domain, and they all have thesame MX priority (10). So the entire pobox.com mail infrastructure isunder the control of pobox. I think there is no reason in this case topublish any MX or A mechanisms. All they need to publish is IP lists.

The rr.com record takes 8.4 seconds to fully resolve on my system, and Ihave DSL. It takes 0.125s the second time, once it is all in the localDNS server's cache.

The rr.com record resolves to 45 IP blocks. Not one is outside therr.com domain. Not one of the MX's is a secondary MX which is not underthe rr.com control. Also here I see no need to publish anything but alist of IP blocks.

I understand that A and MX mechanisms are necessary when the domain inquestion relies on services of third parties, who's IP and name space itdoes not administer. So if you use an MX which is not under your zone, Isee the need to point to it with an A mechanism (not even an MX).

So in neither of the pobox.com and rr.com cases do I see any gain fromusing 23 and 76 queries, other than the convenience of one administratorwho maintains the zone file for those domains. so that's 76 queries and8.4 seconds for no good reason that I can see. If I missed something,please point it out.

I asked before and got no answer as to what is a legitimate set ofcircumstances that *actually requires* more than a handful of lookups. Idon't consider the convenience of the zone file maintainer a realrequirement.

If it hits your local limits then that's only your personal
"receiver policy", maybe treat it like a result "none", or
report an error "5xx go away, your SPF policy sucks".  But
don't claim that the policy is incorrect in that case, it's
not.


That's right. And this is where the unreliability of email starts.

To avoid this, I would like to define a number of DNS mechanisms thatwill always be fully expanded at all recipients that claim to be SPFcompliant. I think this small number is what 'validatingimplementations' should be based on.

If local limits allow more than this bare minimum, more power to them.But it should not be a requirement of all mail servers to implement alarge limit for the number of queries.


Do you think one limit is enough?

I think we need to define two levels:

minimum requirement = "no one stops validating after less than X"
max recommendation = "probably no-one does more than Y queries"

Wayne introduced the concept of "validating implementations"
in his draft.  That's a very good idea, if all conforming
implementations use the same definition of "valid".  But it
won't work if you'd report your personal limits as "invalid".

I agree. We need all implementation to define valid identically. Theirdefinition of DoS may vary, though.

how many lookups should be reasonably needed to *reliably*
prove authenticity? I think no more than 10. this is the
number that will cause infrastructure adjustments.


You should check such assumptions against existing policies.
RR and POBOX had reasons for their policies.

I think both of those domains publish irresponsibly expensive SPFrecords, based on the calculations and conclusions I explained above.

If RR now removes all redudant mx mechanisms, they also lose
some flexibilty, and they have to be very careful if they plan
to add new MXs with IPs not covered by a policy without these
mx mechanisms.

If they grow they need to change the zone file to reflect the newservers, right? They need to plan this carefully anyway, and by that Imean, publish necessary DNS information "before" the new servers areallowed to spew. "Before" = enough time such that the cached records oftheir zone file has had a chance to expire at all DNS servers on theinternet. I think this equation is something like expiry+2*TTL, but I'msure there is an RFC that deals exactly with phasing in new servers, andphasing out old ones.

If POBOX removes per-user-policies they lose a major feature.
OTOH a showcase with an invalid SPF policy makes no sense. ;-)

The per-user-policies I have no problem with, except that any user ofpobox now has some control over the DNS load seen at any recipientdomains. I think that after the first abuse incident, pobox will eitherintroduce strict checking of the consequences of publishedper-user-records, or will discontinue the feature altogether.

By the way, one of the features I'm planning for the libspf2 1.0.6release is an optimizer. The optimizer would take in an SPF record, andprint out the minimalist equivalent SPF record, removing redundancies,replacing queries with IP addresses when the queries are under the samezone file as the top level, etc.


eg: for example.com: "v=spf1 a a:mx2.bigfish.com" would be optimized to:
v=spf1 ip4:192.0.34.166 a:mx2.bigfish.com"

It will also substitute mx's that end in example.com with the IPaddresses that the mechanisms would resolve to.

The idea of this is that the zone-file maintainer would edit the 'wordy'record, which contains relative references to a minimal SPF recordthat contains IP addresses wherever possible. He would then publish theoptimized record, and keep the wordy record on file for future maintenance.

With the proper makefile, the zone IP list is updated at the same timeas the zone file is updated due to mail configuration changes.


Greetings,
Radu.