Stuart D. Gathman wrote:
On Fri, 18 Mar 2005, Guy wrote:
Almost a month went by before someone said an ISP should use a limit less
than 10. Even then no exact figure was given, other than my 9 or 8. So,
no, it is not obvious! The spec SHOULD have a section that explains that
ISP's SHOULD limit DNS lookups to x, and why. x still need to be defined
IMO.
You are absolutely correct.
My specific proposal is that an ISP SHOULD limit DNS lookups to 10, and
SPF checkers MUST allow up to 20. That will leave room for small fry
to include their ISP and add a few other things.
Currently, the spec says that at least 10 calls to check_host() must
be supported (limiting recursion via redirect and include), and at
least 20 seconds elapsed time must be allowed for SPF evaluation. There is no
recommended limit to DNS lookups for mail receivers, but the spec notes that
since the sender bears the brunt of any DOS attack via SPF, that should
motivate them to minimize the number of DNS lookups.
Hello Stuart,
In the "DNS Lookup limit?" thread I gave a worm example that hurts the
recipient quite badly.
See it here:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200502/0364.html
In view of such an attack, I think the spec should protect the
recipients by specifying as low a limit as practical.
We need a Best-Practices doc along the lines:
ISPs typically have full control of their mail infrastructure (ie, all
SMTP servers are in their IP space). Thus, typically ISPs should publish
SPF records that are simply lists of IPs.
It is recommended that ISPs keep their SPF records to down to 2 queries,
including the initial TXT query. This allows them an IP list about 1000
bytes long.
Companies/Vanity users rely on the services of ISPs, and their mail
infrastructure is usually under the ISP's control. These domains use
includes to point to their ISP's SPF records. Most such companies rely
in up to 3 ISPs for mail. This means their record would have 3 includes.
If the ISPs they use publish records as recommended above, the total
number of queries needed for such a company is (1 TXT + 3 includes +
3*(1 query/ISP).
Companies/Vanity users who need to use more than 3 ISPs should
spfcompile (at least partially) their records. Very few should need to
do this.
With these assumptions, the minimum # of lookups could be as low as 7.
Allowing ISPs up to 2 queries per record (ie, 3 queries, including the
initial one) would make the minimum 10 queries.
Regards,
Radu.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
radu.vcf
Description: Vcard