spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

s/prefix/sign/ and 20 seconds for foo.slow.sp.am (was: -01pre5)

2005-05-08 04:54:59
from [Frank Ellermann] [Permanent Link] 
wayne wrote:


Radu does also since he did comment on the DNS load issues.


Unfortunatley he has just left the list before he saw this
beautiful foo.slow.sp.am sender policy with it's excessively
ugly MX answers.  Is this a real DNS server or a foo script ?


I think it is reasonable to submit another I-D to the IETF
soon, if for no other reason that to show forward progress
and prevent the old I-D from timing out.


Sure, but you have time to integrate the four (?) CfVs for the
Council.  And maybe Julian's s/prefix/sign/ idea - not that I
like to twist an already very idiosyncratic terminology, but
his argument about how to construct formal grammars _must_ be
correct, it _sounds_ correct.

Actually I'm curious where he found it, I don't recall it, and
I liked this stuff (okay, that's now more than 20 years ago ;-)

I desperately need his argument, I tried for months to replace
<id-left(_at_)id-right> by <id-unique(_at_)id-domain> in USEFOR.  They're
stubborn like hell because they confuse a proposed standard RfC
2882 with the Bible.  The same problem as "prefix" vs. "sign".

In USEFOR it's worse, because one editor seriously doubts that
an "id-right" is a domain in Message-IDs.  Although Bruce told
him so.  Never get into an argument with Bruce without double-
checking your facts.  Okay, back on topic:


try doing SPF queries on <anything>.slow.sp.am


Really nice.  It should abort in the second "include" near the
"mx:m2.9.3ec4.foo.sp.am" if I got it right.


| spfquery: error

[...]

| Mechanisms used too many DNS lookups


Exactly.  6 queries per MX, 5 MX per include, about 44 queries
before you get a PermError.  Radu proposed a limit A (your 10)
and a limit B > A to catch malicious PermErrores (for a local
BL).  I proposed B = A = never again for its TTL.

This is all fascinating, and a global timeout is also fine...


real    3m20.339s


... <shudder /> but it's an implementation detail.  For the
spec. all you need is your 3*10 magic, maybe a hint to prepare
for malicious policies with a blacklist.  In a real attack you
get several thousands of these foo.slow.sp.am addresses, and a
global timeout of 20 seconds per mail won't help in this case.

For the other side it's only relevant that you say PermError
or TempError with the reason depending on what you want.  The
details how you came to this error, SigInt or what else, are
implementation details.
                        Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: For SPF council review: NOT RECOMMENDED, Frank Ellermann
Next by Date:  Re: NXDOMAIN, Frank Ellermann
Previous by Thread:  Re: Re: -01pre5, wayne
Next by Thread:  Re: -01pre5, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]