Stuart D. Gathman wrote:
On Fri, 18 Mar 2005, Radu Hociung wrote:
--------------- Proposed Draft Ammendments -----------------
I would like to propose that the SPF specification publish two
limits for the number of DNS queries performed.
A. All SPF checkers MUST resolve at least 10 DNS queries,
regardless of type and recursion. It is recommended that all
clients perform only 10 queries. PermError must be returned if
the first 10 queries do not yield an authoritative SPF policy.
B. All SPF checkers SHOULD resolve at most 20 DNS queries, in
order to protect themselves from DoS attacks. The quantity of
20 is to each site's discression, and MAY be set higher or
lower.
I would agree, if 10 and 20 are changed to 20 and 40 respectively.
I should modify my milter to keep a histogram of SPF queries by
number of DNS lookups needed. This is not, of course, the same
as the worst case, but would help quantify my subjective experience
that 10 is not enough.
It's a very good idea to run some statistics, but please keep in mind
that the records that are currently out there are more often than not
more expensive than they need to be. We should not base the limit on the
mistakes we've done so far.
I'm running some stats myself, and I am very curious to see the results.
Instead I propose we continue the current discussion to find what is the
most complicated record that cannot practically be optimized. What is
the most number of queries that a legitimate setup really absolutely
requires? Once we have that number, we should add some 20-50% for margin
of error, and use that as the limit.
I'm not dead set on 10 as a limit, it's just that I cannot envision a
configuration that really requires that much traffic. Please show me one.
Greetings,
Radu.