spf-discuss
[Top] [All Lists]

RE: Draft ammendments on DNS lookup limits

2005-03-18 13:33:01
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Radu 
Hociung
Sent: Friday, March 18, 2005 3:11 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Cc: julian(_at_)mehnle(_dot_)net
Subject: [spf-discuss] Draft ammendments on DNS lookup limits


I would like to propose an ammendment to the SPF draft. Below I list
the proposed changes, discussion threads where the issue was debated,
and references to other RFCs that require minimum and/or maximum
processing limits.

While the referenced texts are irrelevant to SPF, I'd like to point
out that where necessary for reliability or other constraints, minimum
limits are very much in the scope of an RFC.

Some of the specs (RFC 2822, for instance) a requirement for a
maximum limit (line size in characters), and a recommendation for
the implemented maximum limit.


--------------- Proposed Draft Ammendments -----------------
I would like to propose that the SPF specification publish two
limits for the number of DNS queries performed.

A. All SPF checkers MUST resolve at least 10 DNS queries,
   regardless of type and recursion. It is recommended that all
   clients perform only 10 queries. PermError must be returned if
   the first 10 queries do not yield an authoritative SPF policy.

B. All SPF checkers SHOULD resolve at most 20 DNS queries, in
   order to protect themselves from DoS attacks. The quantity of
   20 is to each site's discression, and MAY be set higher or
   lower.

The two limits are different as some sites may elect to perform
more than 10 queries, in order to discover whether they are
subject to a DoS attack or not. If the SPF record does not
resolve after 40 (or the locally set limit), the receiving host
may take evasive action, such as (temporarily) black listing the
source IP address.

Regardless of the local setting as to what constitutes 'DoS', the
checker MUST return PermError even if the sender IP does resolve
favourably (pass) eventually.

This is not to say that the checker MTA MUST reject such
messages. It is entirely up to the local policy as to accept or
reject and SPF result codes.

--------------- Discussion of Ammendments -----------------

I believe that with technology such as the spfcompile program (an
optimizing SPF record compiler), there is little if any need to publish
SPF records more expensive than 10 queries. I have proposed several ways
that SPF record can be reduced in 'cost'. See spf-discuss archives:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200502/0410.html
("DSN Lookup limit?")

and

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200503/0168.html
("rr.com and SPF records")


I'll be the first to object.  Go look at my record and tell me how to make
it less expensive?  BTW, the ip4: mechanisms are a best guess for Comcast.

I'd be interested to see if you can figure a way to do mine in 10 queries or
less.  My DSL provider's record takes 10 by itself, and so once I include
that one, I'm already at 11.

Scott Kitterman