spf-discuss
[Top] [All Lists]

Re: Draft ammendments on DNS lookup limits

2005-03-18 21:54:29
Radu Hociung wrote:

A. All SPF checkers MUST resolve at least 10 DNS queries,
...................................^^^^^^^^
Objection. "at least" is no precise limit, the same sender and
policy would work with some receivers but not others.

regardless of type and recursion.
.........................^^^^^^^^^
Objection, an overall limit of 10 DNS queries is way too small.

It is recommended that all clients perform only 10 queries.
........^^^^^^^^^^^
Objection, the limit must be a MUST for consistent results
with different implementations.

PermError must be returned if the first 10 queries do not
..^^^^^^^^^
yield an authoritative SPF policy.
...........^^^^^^^^^^^^^^^^^^^^^^^^
Objection, the maximal number of DNS queries to get a policy
is _two_ (q=spf and q=txt), authoritative or not is irrelevant.

The result if you don't get a policy is "None" or "TempError",
not "PermError" (the SPF-bible chapter 4 verse 5).

B. All SPF checkers SHOULD resolve at most 20 DNS queries
.....................................^^^^^^^.^^^^^^^^^^^^^^
Objection. "at most" is no precise limit, the same sender and
policy would work with some receivers but not others.

Objection. 20 DNS queries are still too small, a mechanism like
mx:t-online.de could result in 1+8=9 queries.

The quantity of 20 is to each site's discression, and MAY be
set higher or lower.

Objection, the same sender with the same policy would then get
pseudo-random results from 2xx over 4xx to 5xx.  A receiver is
free to do whatever it likes, but it MUST NOT claim that this
is a result of some SPF-goes-PRA-plus-timeout-at-the-MUA "test"
 
the receiving host may take evasive action

SPF is about _sender_ policies, and  not about the management
of local blacklists or iptables at _receivers_ against attacks.

Regardless of the local setting as to what constitutes 'DoS',
the checker MUST return PermError

If you've blacklisted an abusive IP you never come to the point
where you'd lie saying "PermError".  Or is that a scheme to get
mailto:postmaster@ but reject anything else ?  Even then it's
not correct ty say "SPF Permerror" instead of "blacklisted".

                        Bye, Frank