Counting each CNAME as dns lookup is probably best. Then all other issues
as far as limits and loops are already addressed by the spf draft.
On Thu, 21 Jul 2005, Stuart D. Gathman wrote:
How many CNAMEs should an SPF implementation follow before returning
PermErr? SHould each CNAME link count as a DNS lookup for the overall
lookup limit? A quick example to make sure we're on the same page:
loop.example.com IN CNAME loop.example.com.
Now, we *could* keep a stack and follow chains of arbitrary depth
while detecting infinite loops. However, that still makes a CNAME
DOS attack trivial:
evil0.example.com IN CNAME evil1.example.com.
evil1.example.com IN CNAME evil2.example.com.
evil2.example.com IN CNAME evil3.example.com.
...
evil99999.example.com IN CNAME evil0.example.com.
An algorithmic DNS server will greatly aid the attacker :-)