spf-discuss
[Top] [All Lists]

Re: CNAME limit

2005-07-21 18:19:45

Counting each CNAME as dns lookup is probably best. Then all other issues as far as limits and loops are already addressed by the spf draft.

On Thu, 21 Jul 2005, Stuart D. Gathman wrote:

How many CNAMEs should an SPF implementation follow before returning
PermErr?  SHould each CNAME link count as a DNS lookup for the overall
lookup limit?  A quick example to make sure we're on the same page:

loop.example.com        IN CNAME        loop.example.com.

Now, we *could* keep a stack and follow chains of arbitrary depth
while detecting infinite loops.  However, that still makes a CNAME
DOS attack trivial:

evil0.example.com       IN CNAME        evil1.example.com.
evil1.example.com       IN CNAME        evil2.example.com.
evil2.example.com       IN CNAME        evil3.example.com.
...
evil99999.example.com   IN CNAME        evil0.example.com.

An algorithmic DNS server will greatly aid the attacker :-)


<Prev in Thread] Current Thread [Next in Thread>