spf-discuss
[Top] [All Lists]

Re: Re: possible changes to the SPF I-D during AUTH48

2005-08-15 14:56:44
+On Mon, 15 Aug 2005, wayne wrote:

Now, again, the questions are:

*  Can CNAME loops be used to create DoS attacks against third
   parties?

Not that I can think of.

*  Can CNAME loops be used to create a DoS attack against the
   receiver?

A really long chain will consume memory in order for the receiver to keep
checking for a loop.  The sending domain can have a DNS server that computes
the canonical name by adding one to the owner name instead of keeping it
in a database.  This would consume arbitrary memory on the receiver while
consuming no memory for the sender.

The receiver will need to keep issuing more DNS requests to 
follow the chain, but these will hit the sender domain as well.

What we don't care about is:

*  Can a domain owner shoot themselves in the foot by using CNAMEs?

Then why are we giving PermError for other syntax errors and
things like bad includes?

So you are suggesting that receivers follow CNAME chains to any
implementation determined length?  I have no problem with that. 
It makes pyspf slightly simpler if it simply follows the CNAME until
it runs out of memory.  But SPF results will be more consistent if
we stop after a standard number of CNAME links.

P.S.  I am really itching to setup that algorithmic CNAME DNS server
and see how various applications deal with attempting to look up the starting
name.  I see Twisted Python has a new version with subpackages.  I'll
check it out.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.