spf-discuss
[Top] [All Lists]

[spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)]

2006-10-31 00:54:33
wayne wrote:
 
Yeah, I saw that, but your response doesn't really apply to the
example that DougO gave in his I-D.

It's really hard to find the substance in his idiosyncratic weasel
words, so if you found it please explain it in something remotely
related to plain text.  E.g. where does his "2000" come from ?

the use of longer domain labels on the MX records

The length of domain labels ?  Are we talking about bytes in his
factor 2000 story ?

I have been the only one who has really pushed the issue in the
SPF community.  (The lack of DoS resistant process limits was one
of the major reasons I started my schlitt-spf-classic I-D.)

Yes, I recall that, and of course you weren't alone, it's more like
the precise reason why "the community" changed horses in the battle,
because Mark's I-D didn't address that point, and he also didn't
indicate that he's willing to fix it a.s.a.p.

BTW, it was also discussed later again with Radu.


If the only two people who think the DoS issues with SPF are worth
worrying about are DougO and me, then maybe I've just screwed up
my analysis and am worrying about a non-issue.

For normal usage everything is fine.  For an attack it might need
somewhat tighter limits in the triple ten formula.  You were never
alone with this issue, at least I'm interested.

I would hope that a good starting place would be to review some
of my posts on the subject over the last 3 years.

I'm not that interersted to dig in articles posted before May 2004,
for anything later I've read it (and discussed it, it took us some
days to arrive at the triple-ten-limit after the MARID-termination).

*IF* he has actually found something, the right thing to do would
be to simply limit the total number of DNS lookups.  This is 
allowed under RFC4408

Almost recommended, there's a "SHOULD limit the amount of data", 
but the MUST-hard limits are 10/10/10.  Maybe that could be tuned
in a 4408bis:  Are more than say two mx mechanisms per SPF record
realistic / necessary ?

A limit of two "mx" per record would result in at most seven "mx"
with three include or redirect.  Not very convincing, 70 queries
isn't much better than 100.  We could use a total limit of queries:

<http://article.gmane.org/gmane.mail.spam.spf.discuss/10950>

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com