I used the limits in the RFC:
http://new.openspf.org/blobs/draft-schlitt-spf-classic-02.html#anchor31
I see, well, if I remember, the original is 20 whcih is what we have in our
classic SPF setup and it was for, if I recall, for recursive limits, not
just individual DNS limits.
But I don't remember off hand, but the 10 limit in the docs is new:
"SPF implementations MUST limit the number of mechanisms
and modifiers that do DNS lookups to at most 10 per SPF check,
including any lookups caused by the use of the "include"
mechanism or the "redirect" modifier."
Which off hand, is WAY too short.
The problem is mostly with INCLUDE/REDIRECT that is where the threats really
lie.
I can see a DNS limit but it must be higher and separate from a recursion:
For example:
RecursiveLimit 10
DNSLimit 30
Redundancy 10
and the last two is a SWAG limit:
Absolutely, Microsoft SPF record is crappy but I don't see it different than
many others that use non-recursive includes.
Even if you remove the redundance of Microsoft SPF record, which I believe
is 6 DNS, you would have a 15 DNS lookups.
The question is can Microsoft "reorganize" this specific NEED they have for
SPF records to reduce the DNS lookups?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com