On 05/06/2006 16:41, Julian Mehnle wrote:
Scott Kitterman wrote:
The 10 lookup limit is a MUST in RFC 4408. Do it however you want, but
don't claim to have implemented the RFC if you do it differently :).
Well, it's the receiver's choice whether they want to subject themselves to
DoS attacks. No need to call them incompliant for that. They can't blame
SPF then, however.
I'm going to have to disagree with you here... 4408 says:
... SPF implementations MUST limit the number of mechanisms and modifiers that
do DNS lookups to at most 10 per SPF check ... If this number is exceeded
during a check, a PermError MUST be returned."
Those two MUSTs are there for a reason. A record is either valid or not. We
can't have sort of, sometimes valid records. Skipping MUSTs in an RFC means
you haven't implemented the RFC.
The only conclusion consistent with RFC 4408 is that MS's SPF record is
invalid. That has to be standarized. Permerror is the only possible
standard conclusion. What a receiver does with a Permerror is, I agree, a
matter of receiver policy.
I think that receivers are free to do what they want as a matter of policy,
but the protocol has to be implemented correctly (correct meaning IAW RFC
4408).
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com