spf-discuss
[Top] [All Lists]

Re: Re: DNS lookup limit?

2005-02-27 21:57:39
Frank Ellermann wrote:
In the discussions between draft-lentczner and draft-schlitt I
wanted one limit for an DNS query counter, but Wayne preferred
his three limits (mechanisms / MX / PTR), and with the single
magic number "10" that was IMHO acceptable.

Was there any reasoning in favour of the choice of 3 separate limits? Would you mind pointing me to the archive thread that talks about this?

With one limit like say 40 queries some policies, which now
(classic-00) could result in PermError would be "okay" again,
and vice versa.  And if you'd introduce _four_ limits with
different magic numbers absolutely nobody would understand it:

Implementations would then just do whatever they like.  That's
bad, let's keep Wayne's 3 * 10 magic.  It already forces RR and
POBOX to simplify their policies.

Unfortunately the trouble is that 3*10 adds up to 111 ;)

That strikes me as an outrageously high limit. Considering that with SPF you are literally getting the mail server to execute remote code (granted, very small instruction set, though it has goto's, gosubs, variable expansion, timeouts, etc), I think this limit is unreasonable.

No, what I would like to propose is that we make no distinction between query types. A query is roughly equally expensive, no matter whether it's A, MX or TXT. One total cumulative counter should be enough.

Since the current limit is so high, the implementations already do what they like. Perhaps not the libraries, but the mail admins may impose lower limits. I would also really like to see a requirement for how low a limit can be set and still be compliant with the spec (yes, the spec would have to be updated). Otherwise we have different low limits, and behaviour differences between servers. It will be Babel all over again.

Also, it would be really nice to get some aol or msn mail admins to provide feedback on reasonable limits. I wonder how to pull this off?


one of the features I'm planning for the libspf2 1.0.6
release is an optimizer. The optimizer would take in an SPF
record, and print out the minimalist equivalent SPF record,


That's a nice idea.  You could flag redundant IPs (covered by
more than one mechanism), find a minimal CIDR variant, etc.

That sounds more like an application than library functions.

You read my mind. Yes, it will be the spfcompile program, similar to spfquery, and it will do exactly what you describe. The most tricky will be to maintain the effects of left to right evaluation, so that you can have -1.2.3.0/24 +1.2.0.0/16 still yield the same results, even though you merge together the IPs with the same prefix into the largest possible CIDR blocks.

The other needed application is a *virus checker* for SPF records, that would detect loops, and other errors, like:

example.com. TXT "v=spf1 a {more stuff} include=spf.%{d} -all"
spf.example.com. TXT "v=spf1 {whatever} -all"
*.example.com. TXT "v=spf1 a {more stuff} include=spf.%{d} -all"

Which works fine for user(_at_)example(_dot_)com, but not so well for user(_at_)gotcha(_dot_)example(_dot_)com

Greetings,
Radu.


<Prev in Thread] Current Thread [Next in Thread>