spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: SPF processing limits

2006-05-25 07:05:16
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:

On Thu, 25 May 2006, Julian Mehnle wrote:

I don't think that there's such a thing as an "A overflow" -- just
take whatever number of A records you get in the response packet.  In
what situation could there be an "overflow"?


Suppose there were 100 million A records for the hostname.  Possible
over TCP or EDNS0.  An implementation has to draw the line somewhere -
and the line is implementation defined.  The SPF record can't be
evaluated if you stop before comparing the source IP with all 100
million records. So the only possible results are TempError and
PermError.


Oh, you mean that when a UDP response is marked as being truncated, the 
requestor would then make a TCP request and receive a huge number of 
records in the response stream?  Certainly possible, but is there _ANY_ 
protocol out there besides SPF that explicitly provides for that odd kind 
of "attack"?  I mean, do we _really_ need to _standardize_ behavior for 
that situation?  I think implementations will be intelligent enough not to 
keep reading the stream forever.  And after all, RFC 4408 does point out 
the general issue.


You correctly point out that TempError should be for conditions that
are likely to resolve themselves.  But on the other hand, we don't
want PermError to be implementation defined.  Maybe we should have
had an ImplLimitError result.


Good idea for the future.  For now, however, I did not say that "PermError" 
should be returned.  What I said is that it should be treated as "no 
match" for the mechanism in question.

A future version of SPF should probably use structured result codes.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdblhwL7PKlBZWjsRAsM5AJ4zP9HTQIzbeyQjOBB1tqoZm0Ux0ACg8xjR
T2TMWgcoFXIOYPrnGbOgd24=
=srYU
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF processing limits, Stuart D. Gathman
Next by Date:  [spf-discuss] Re: SPF processing limits, Julian Mehnle
Previous by Thread:  Re: [spf-discuss] Re: SPF processing limits, Stuart D. Gathman
Next by Thread:  [spf-discuss] Re: SPF processing limits, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]