From: Radu Hociung
Date: Mon Mar 21 2005 - 00:21:49 EST
Recently I've been paying attention to my traffic, and my DNS traffic
originating from the mail server is about 2.5 times the traffic of mail
actually transfered through the MTA port. This is traffic that actually
goes out the Ethernet port, so it represents DNS cache misses. I think
more than 75% of the DNS traffic is due to the SPF checking. I feel this
is too much of a load.
...
I don't have enough stats to see how this scales, but it would mean that
if one of the large ISP's wanted to check SPF, they'd need twice as much
DNS infrastructure as they currently use for mail.
From: Radu Hociung
Date: Mon Mar 21 2005 - 18:47:05 EST
I am not comparing current volumes of DNS traffic, because SPF is just
getting started. I am comparing the designs of the applications that use
DNS. I think SPF is by design much heavier on DNS than anything else
we've seen so far. When/if everyone adopts it, it will be the heaviest
by volume too.
Radu makes a very good argument, and one that has changed my mind. I no
longer see the arguments about SPF and DNS as pure FUD. The stats on his
experience with DNS loads being 75% SPF checking are especially
compelling. The burden is now on the "don't worry" advocates to show that
when SPF is widely used, DNS will have no problem with whatever the
spammers can throw at it.
Unless Radu's setup is unusual, we can expect worse when spammers start
seeing SPF as more than just a minor annoyance. When that happens, they
will target SPF checking receivers with SPF records designed to be as
costly as possible. If we allow 20 lookups, they will use all 20, and some
of those 20 will be tarpits. Others will be a constantly-changing list of
innocent domains that just happen to provide costly SPF records. All this
SPF checking has to be done before the spam filter, so it must hold up
under the maximum possible flow of raw sewage.
The burden will be on the receiver, not as someone suggested earlier, on
the providers of costly SPF records. (Try to think like a spammer.) There
will be no incentive for these providers to clean up their SPF
records. The more I think about this, the more I'm coming to the
conclusion that we need to shift the burden OFF the receiver and onto the
sender, who has an incentive to make sure his mail gets through.
Maybe we should say every SPF query should include the IP address that is
being checked. Then a smart DNS server could return PASS or FAIL instead
of some complex SPF record. Whoever writes the script that does this check
on the server side will figure out if they want to use the original SPF
record, or keep a local compiled version with a short lifetime. This would
also be the appropriate place to have an "Update Now" command, so when
rr.com gets a call from austin.rr.com "We just moved our server", the
update can be done immediately.
This doesn't mean abandoning SPF. It just means that the convenient but
complex SPF records will be kept locally. What goes out, in one shot, is
just the current list of allowed IPs, or preferably just a
PASS/FAIL. Eventually, everyone will update their DNS servers, and
PASS/FAIL will be the dominant mode.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmq'at'gci-net.com * *
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *