On Fri, 18 Mar 2005, Radu Hociung wrote:
--------------- Proposed Draft Ammendments -----------------
I would like to propose that the SPF specification publish two
limits for the number of DNS queries performed.
A. All SPF checkers MUST resolve at least 10 DNS queries,
regardless of type and recursion. It is recommended that all
clients perform only 10 queries. PermError must be returned if
the first 10 queries do not yield an authoritative SPF policy.
B. All SPF checkers SHOULD resolve at most 20 DNS queries, in
order to protect themselves from DoS attacks. The quantity of
20 is to each site's discression, and MAY be set higher or
lower.
I would agree, if 10 and 20 are changed to 20 and 40 respectively.
I should modify my milter to keep a histogram of SPF queries by
number of DNS lookups needed. This is not, of course, the same
as the worst case, but would help quantify my subjective experience
that 10 is not enough.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.