Re: Response to DDoS using SPF

> Simply removing SPF may not be an option.  More likely there would be a
> worldwide switch to SenderID [... ,] which avoids all these problems.

SenderID uses the same record syntax and DNS look-up system as SPF. It is, I
suspect, therefore vulnerable to the same kind of DDOS attack, with the same
potential for amplification.


Here is the original quote, in context:

As for "quick fixes", I can not come up with any that are less work than
disabling SPF all together.  Say the quick fix is to change your SPF
record, most likely close to the absolute minimum amount of work there
could possibly be.  This is exactly the same amount of work as removing
your SPF record or commenting out a line in your MTA's configuration.
In which case, if someone has negative information concerning SPF,
they'll just remove it.

Simply removing SPF may not be an option. More likely there would be aworldwide switch to SenderID or another authentication protocol likeDomainKeys, which avoids all these problems.

The subordinate clause refers to DomainKeys, not SenderID. SenderID wouldhave the same problems.

My statement was not intended to spark a debate over the merits of thesedifferent protocols, but simply to say that a successful attack on SPFcould result in a worldwide switch to another protocol, even one that mighthave worse problems.

I have a suggestion for these discussions. Assume that someone is cominginto the discussion without having read all the prior posts. Quoteeverything in the prior posts that is relevant. Storage is not an issue,and it is very easy if you are following the discussion closely to justskip past the quotes.

Also, I think it is a good idea to delete the automatically insertedwho-said-what lines. The discussion will go more quickly if nobody feelsthey are being personally attacked, and have to defend some prior statement.


-- Dave

*************************************************************     *
* David MacQuigg, PhD          * email: dmquigg-spf(_at_)yahoo(_dot_)com     *  
*
* IC Design Engineer           * phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *

************************************************************* *

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF-compiling DNS Server, (continued) Re: SPF-compiling DNS Server, David MacQuigg RE: Re: DNS load research, Scott Kitterman Re: Re: DNS load research, Radu Hociung RE: Re: DNS load research, Scott Kitterman Re: Re: DNS load research, David MacQuigg Re: Re: DNS load research, Andy Bakun RE: Response to DDoS using SPF, David MacQuigg RE: Response to DDoS using SPF, Andy Bakun RE: Response to DDoS using SPF, David MacQuigg Re: Response to DDoS using SPF, Chris Haynes Re: Response to DDoS using SPF, David MacQuigg <= RE: Response to DDoS using SPF, Scott Kitterman Off Topic - English Syntax, David MacQuigg Re: Off Topic - English Syntax, Chris Haynes Re: Off Topic - English Syntax, David MacQuigg Re: Response to DDoS using SPF, Michael Hammer Re: Re: DNS load research, Andy Bakun Re: Re: DNS load research, Marc Chametzky Re: DNS load research, Frank Ellermann Re: Re: DNS load research, Marc Chametzky Re: Re: DNS load research, Alex van den Bogaerdt