In
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0610311049530(_dot_)5676-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:
I had a limit of 50 DNS queries total in pyspf, before the 10/10/10
rule went down. The most queries I've ever encountered for a real SPF
record was 76.
There needs to be a limit of 10 mechanisms anyway since, if I recall
my DoS study results correctly, it is having more creates a too large
of an amplification factor. DougO's attack utilizes DNS label
compression to keep the single MX lookup relatively small while
generating large individual A record lookups directed toward the
victim. Impossible to compress lookups can easily be created with
simple include: or a: mechanisms.
IMO, a simple limit for total queries was much simpler and easier
to implement than what we have.
Yes, a limit on the total number of DNS lookups is simpler for the
implementation than the 10/10/10 rule. It is, however, much harder to
count by eye.
And, while the total number of DNS lookups is simplier, it isn't
really the critical thing, it is the total number of bytes thatis
really important.
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com