On Thu, 25 May 2006, Julian Mehnle wrote:
SPF implementations SHOULD limit the total amount of data obtained from
the DNS queries. For example, when DNS over TCP or EDNS0 are available,
there may need to be an explicit limit to how much data will be
accepted to prevent excessive bandwidth usage or memory usage and DoS
attacks.
I don't think that there's such a thing as an "A overflow" -- just take
whatever number of A records you get in the response packet. In what
situation could there be an "overflow"?
Suppose there were 100 million A records for the hostname. Possible over
TCP or EDNS0. An implementation has to draw the line somewhere - and
the line is implementation defined. The SPF record can't be evaluated
if you stop before comparing the source IP with all 100 million records.
So the only possible results are TempError and PermError.
You correctly point out that TempError should be for conditions that
are likely to resolve themselves. But on the other hand, we don't
want PermError to be implementation defined. Maybe we should have
had an ImplLimitError result.
If we go with your suggestion of returning PermError - that makes
PermError implementation defined. That then gives an excuse to those
who would, for example, allow more than 10 DNS lookups without
a PermError. "Hey - PermError is implementation defined."
As a patch, we could say you must return PermError when required by the
spec, but may return PermError when addition implementation defined
limits are exceeded. The message included with the latter should have
a standard prefix to distinguish it from a spec mandated PermError.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com