On Fri, 4 Nov 2005, wayne wrote:
In terms of DNS lookups, it is the same as MX. [...]
I strongly disagree. In both theory and practice, PTR is much worse
than MX.
You snipped out the part where I agree with you. My point was
that for *legitimate* traffic, where you control the rDNS records,
and they come from a small number of IPs, it is no worse than MX. It is when
evaluating a forged connection that it is expensive.
The biggest problem with PTR is in practice. There are simply far
more broken name server delegations to the reverse DNS tree than the
forwarder DNS tree so PTR lookups are *FAR* more likely to timeout.
You wouldn't be using PTR unless your rDNS works, so the above doesn't
apply to legitimate connections.
This is true even for legitimate MTAs. For spam sources, the rDNS
tree is almost useless.
Yes, we agree that PTR is vulnerable to DOS attacks.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com