In
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0508091333020(_dot_)7103-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:
On Tue, 9 Aug 2005, wayne wrote:
So, if you ever hit a second ptr: mechanism, you are going to have
done all the DNS lookups already.
Not true. The PTR mechanism matches a name. The name is in the PTR
record. You don't need to lookup the A record unless the name matches.
OK, but the key point here is that the process limits are there to
give a bound on the DNS lookups for DoS purposes. Making sure that
SPF checking is "cheap enough" is a secondary reason.
Now, consider that the %{p} macro variable doesn't figure at all into
the process limits, even though it is as expensive as a ptr: check.
In reality, we could exclude ptr: and %{p} checking from the process
limits and we wouldn't have any impact on the DoS threat of SPF abuse
and have only very a minor impact on the overall cost of evaluating SPF
records.
-wayne