At 04:02 PM 5/24/2006 -0400, Stuart D. Gathman wrote:
On Wed, 24 May 2006, Stuart D. Gathman wrote:
> It seems that the size of MX and PTR result sets are limited:
>
> When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
there MUST
> be a limit of no more than 10 MX or PTR RRs looked up and checked.
>
> But the size of A and CNAME result sets are not.
This is because the MX and PTR data can be used to amplify a DOS attack
because the data consists on names that are looked up via DNS.
The A results are IPs, and won't amplify a DOS attack.
A CNAME chain attack requires cooperation from the victim :-)
Good point. I was only considering the case where all CNAMEs are in the
same zone, and get returned in one response. In general, I guess we do
have multiple queries with added CNAMEs.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com