spf-discuss
[Top] [All Lists]

DNS Query Format

2005-03-24 09:21:39

It has been mentioned that the %{i} macro could be included in the query, and then the server could reply with PASS/FAIL. I think this is a bad idea, because all those queries are uncacheable, so this truly circumvents the benefits that were designed into DNS. When the DDOS attempt does happen, caching can really help lower the impact. It may be that I didn't understand the proposal well enough.

Good point. I hadn't thought of that. Also, since the PASS/FAIL response takes the same single IP datagram as a list of IPs, there is not much to be gained.

One more thought on this topic: Even though we see no advantage now in having a DNS server reply with a PASS/FAIL, would it be a good idea to include the IP address in the DNS query anyway? That will add a negligible 4 bytes to the query, and will allow for some future use of this information. This might be, for example, a daemon that alerts a domain owner when an IP in their domain attempts an unauthorized use of the domain name. ( A zombie catcher !! )

I raise this question now, because it will be a lot easier to modify the standard now than later.

-- Dave


*************************************************************     *
* David MacQuigg, PhD          * email: dmquigg-spf(_at_)yahoo(_dot_)com     *  
*
* IC Design Engineer           * phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
************************************************************* *