spf-discuss
[Top] [All Lists]

[spf-discuss] Re: SPF processing limits

2006-05-24 18:41:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
But the size of A and CNAME result sets are not, except for the
following:

  SPF implementations SHOULD limit the total amount of data obtained from
  the DNS queries. For example, when DNS over TCP or EDNS0 are available,
  there may need to be an explicit limit to how much data will be
  accepted to prevent excessive bandwidth usage or memory usage and DoS
  attacks. 

Which doesn't establish a fixed limit.  It is not clear what the SPF
result should be if the number of records returned for an A record or
the length of a CNAME chain exceeds the implementation defined limit.

The result shouldn't be PermError, because that is supposed to be
determined by the RFC - not implementation defined.  So I suppose
the best response for CNAME or A overflow would be TempError.

RFC 4408, section 5, "Mechanism Definitions", says:

| Several mechanisms rely on information fetched from DNS. For these DNS
| queries, except where noted, if the DNS server returns an error (RCODE
| other than 0 or 3) or the query times out, the mechanism throws the
| exception "TempError". If the server returns "domain does not exist"
| (RCODE 3), then evaluation of the mechanism continues as if the server
| returned no error (RCODE 0) and zero answer records.     

In the case of an overly long CNAME chain (or even loop) I think the most 
consistent and DWIM-y thing to do would be to treat it like NXDOMAIN, i.e.
"no match".  TempError by definition is an error condition that can be 
expected to go away on its own, which doesn't apply to that sort of thing.

I don't think that there's such a thing as an "A overflow" -- just take 
whatever number of A records you get in the response packet.  In what 
situation could there be an "overflow"?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdQrxwL7PKlBZWjsRAnrRAJ9muKl+q7J5b4f9nuSqdimUIeSHRwCfXHtB
tTxuM8d8UfdwZ11hIhHcOcw=
=SJBX
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com