On Fri, 18 Mar 2005, Guy wrote:
Almost a month went by before someone said an ISP should use a limit less
than 10. Even then no exact figure was given, other than my 9 or 8. So,
no, it is not obvious! The spec SHOULD have a section that explains that
ISP's SHOULD limit DNS lookups to x, and why. x still need to be defined
IMO.
You are absolutely correct.
My specific proposal is that an ISP SHOULD limit DNS lookups to 10, and
SPF checkers MUST allow up to 20. That will leave room for small fry
to include their ISP and add a few other things.
Currently, the spec says that at least 10 calls to check_host() must
be supported (limiting recursion via redirect and include), and at
least 20 seconds elapsed time must be allowed for SPF evaluation. There is no
recommended limit to DNS lookups for mail receivers, but the spec notes that
since the sender bears the brunt of any DOS attack via SPF, that should
motivate them to minimize the number of DNS lookups.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.