spf-discuss
[Top] [All Lists]

Re: Re: DNS load research

2005-03-24 19:59:15
David MacQuigg wrote:

I propose that we add a mask modifier that looks like this:

-m=64/6 m=80.66/16 m=192/3


Cool idea, but why do we need any more syntax? How is that different from:
-ip4:64/6 -ip4:80.66/16 -ip4:192/3
?
The SPF compiler would just put those shortcuts in the first record.


I think you misunderstood. The legit outgoing servers _are_ on those nets, so you don't want to fail them with -. An way to exclude IP ranges is needed.


What is the advantage of excluding ranges to reduce the number of lookups, when we can eliminate *all* lookups by compiling the SPF record? I would just say: keep your SPF records very simple, well under the limit of 10 lookups, or use the compiler.

Because the records of the biggest mail servers (hotmail, ebay, probably others who use a lot of ISPs for redundancy) expand to a compiled record of more than 450-bytes (schlitt-00 draft), and then it has to be split into two records or more.

Both of those two domains are among the most often forged. The TTL of their SPF records is 1 hour each. So their DNS traffic is pretty heavy.

Generally, the bigger an uncompiled record is, the more likely it is that the TTL of the compiled record will be lower due to some A mechanism that has a low TTL.

So, given all these facts, a mask included in the top SPF record will probably avoid the need to read the second (and remaining) records most of the time. That implies a reduction in DNS traffic by half for these large installations. I can only guess that their DNS traffic is already huge. Half of huge would be a good chunk. The bigger the full record is, the more significant the savings (you could save 2/3 or 4/5 or 5/6 of the queries otherwise required to find out what the default result is for a non-matching IP)

The mask would also help with the virus scenario, in that an (compiled) SPF record spanning multiple TXT records (using includes/redirects) would need to be fully expanded only a small proportion of the time (which depends on how good the coverage of the mask is). Depending on the max lookup limit, this means that most of the time you might have to do 1 lookup instead of 4, 5, or 10 lookups. On a percentage basis, that's a huge amount of DNS traffic avoided.


Radu.


<Prev in Thread] Current Thread [Next in Thread>