spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: rr.com and SPF records

2005-03-18 15:27:04
from [Radu Hociung] [Permanent Link] 


Stuart D. Gathman wrote:

On Fri, 18 Mar 2005, Guy wrote:



Almost a month went by before someone said an ISP should use a limit less
than 10.  Even then no exact figure was given, other than my 9 or 8.  So,
no, it is not obvious!  The spec SHOULD have a section that explains that
ISP's SHOULD limit DNS lookups to x, and why.  x still need to be defined
IMO.



You are absolutely correct.

My specific proposal is that an ISP SHOULD limit DNS lookups to 10, and
SPF checkers MUST allow up to 20.  That will leave room for small fry
to include their ISP and add a few other things.

Currently, the spec says that at least 10 calls to check_host() must
be supported (limiting recursion via redirect and include), and at
least 20 seconds elapsed time must be allowed for SPF evaluation.  There is no
recommended limit to DNS lookups for mail receivers, but the spec notes that
since the sender bears the brunt of any DOS attack via SPF, that should
motivate them to minimize the number of DNS lookups.



Hello Stuart,
In the "DNS Lookup limit?" thread I gave a worm example that hurts the recipient quite badly. 

See it here:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200502/0364.html

In view of such an attack, I think the spec should protect the
recipients by specifying as low a limit as practical.

We need a Best-Practices doc along the lines:
ISPs typically have full control of their mail infrastructure (ie, all SMTP servers are in their IP space). Thus, typically ISPs should publish SPF records that are simply lists of IPs.
It is recommended that ISPs keep their SPF records to down to 2 queries, including the initial TXT query. This allows them an IP list about 1000 bytes long.
Companies/Vanity users rely on the services of ISPs, and their mail infrastructure is usually under the ISP's control. These domains use includes to point to their ISP's SPF records. Most such companies rely in up to 3 ISPs for mail. This means their record would have 3 includes. If the ISPs they use publish records as recommended above, the total number of queries needed for such a company is (1 TXT + 3 includes + 3*(1 query/ISP).
Companies/Vanity users who need to use more than 3 ISPs should spfcompile (at least partially) their records. Very few should need to do this. 

With these assumptions, the minimum # of lookups could be as low as 7.
Allowing ISPs up to 2 queries per record (ie, 3 queries, including the initial one) would make the minimum 10 queries. 

Regards,
Radu.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: radu.vcf
Description: Vcard

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Draft ammendments on DNS lookup limits, Scott Kitterman
Next by Date:  Re: Draft ammendments on DNS lookup limits, Stuart D. Gathman
Previous by Thread:  RE: Re: rr.com and SPF records, Stuart D. Gathman
Next by Thread:  Magic 10 (was: rr.com and SPF records), Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]