-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc Chametzky wrote:
Scott Kitterman wrote:
With my validator, the MS SPF record is raising an error because of
too many DNS lookups.
My SPF engine also returns PermError for microsoft.com, too. By the time
I got to the last of the three includes in the main record, I had
already hit 10 DNS-lookup-counted mechanisms.
Main record: 4 (1 mx, 3 includes)
First include: 3 (2 a, 1 mx)
Second include: 4 (3 a, 1 mx)
Third include: 0
Marc is correct.
Hector Santos wrote:
Too bad I was out of the loop when this decision was made.
Thats a major difference in SPF implementations and now you see the
effect for large SPF organization/networks wishing to support SPF.
It was also a major security hole in the old SPF specification that needed
to be fixed.
Scott Kitterman wrote:
Hector Santos wrote:
Basically what it tells the big companies:
"You can only have 10 different domains to lookup and if you
CAN'T structure your SPF network as such, then SPF is not for
you because [NEW?] SPF verifiers are going to see you as a PERM
ERROR."
Actually what it says (in my opinion) are two things:
1. SPF processing limits are tight enough that you can use SPF without
worrying to much about denial of service attacks based on large records
(this threat got a lot of discussion on the list and was the source of
the revised approach to processing limits).
2. If you are a big enough provider for the complexity of your record
to cause problems with the limits, you need to use more ip4: mechanisms
in your records. If you're mail sending is complex enough to cause a
problem, you know enough to enumerate your sending sources by IP
address.
You can always use an "exists:" mechanism to cover an arbitrarily complex
network with a single DNS lookup. Setting up dummy A records for all your
outgoing MXes isn't hard.
The 10 lookup limit is a MUST in RFC 4408. Do it however you want, but
don't claim to have implemented the RFC if you do it differently :).
Well, it's the receiver's choice whether they want to subject themselves to
DoS attacks. No need to call them incompliant for that. They can't blame
SPF then, however.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEXQn5wL7PKlBZWjsRAoJTAJ0SuxuS8ykzmfjvKsmWYx4EvYf/uQCgg5d8
+oXsLS5uyHW46YAjxNUtJnM=
=2mab
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com