In <4546DF94(_dot_)617F(_at_)xyzzy(_dot_)claranet(_dot_)de> Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:
william(at)elan.net wrote:
Provide list of appropriate rebutal points and I'll make
it after the presentation.
For a start see the corresponding thread on the DKIM list:
<http://permalink.gmane.org/gmane.ietf.dkim/6299>
Yeah, I saw that, but your response doesn't really apply to the
example that DougO gave in his I-D.
From what I can tell, the only thing that DougO's I-D deals with that
wasn't already been mentioned on this list before MARID started was
the use of longer domain labels on the MX records. (I used long
domain names in other DoS scenarios, but not the MX case.)
I was the first to really raise the issue of SPF and DoS attacks in
late 2003, and I have been the only one who has really pushed the
issue in the SPF community. (The lack of DoS resistant process limits
was one of the major reasons I started my schlitt-spf-classic I-D.)
I dunno. If the only two people who think the DoS issues with SPF are
worth worrying about are DougO and me, then maybe I've just screwed up
my analysis and am worrying about a non-issue. It would probably be
best if someone besides me did the analysis to see if Doug is right or
not. I would hope that a good starting place would be to review some
of my posts on the subject over the last 3 years.
Contrary to DougO's doom-and-gloom assessment of SPF, I suspect that
*IF* he has actually found something, the right thing to do would be
to simply limit the total number of DNS lookups. This is allowed
under RFC4408, as is rejecting SPF records that are too long.
(Another thing that DougO mentions in his I-D.)
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com