On Wed, 24 May 2006, Stuart D. Gathman wrote:
It seems that the size of MX and PTR result sets are limited:
When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro, there MUST
be a limit of no more than 10 MX or PTR RRs looked up and checked.
But the size of A and CNAME result sets are not.
This is because the MX and PTR data can be used to amplify a DOS attack
because the data consists on names that are looked up via DNS.
The A results are IPs, and won't amplify a DOS attack.
A CNAME chain attack requires cooperation from the victim :-)
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com