spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] 10-20-30 (was: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)])

2006-10-31 23:39:05
from [Frank Ellermann] [Permanent Link] 
Scott Kitterman wrote:
 

To damp Doug's attack without counting bytes (shudder) maybe a total
limit of about 40 queries (10 mechanisms + 30 names) would do, or is
that too liberal / too conservative ?

 

I think that's on the right track.

 

The problem as I understand it is that some IP addresses on shared
hosts have huge numbers of PTR records.


The "ptr" part is IMO solved, you do that at most once per connecting
IP (i.e. at most once per SMTP session, no matter how many mails and
how many RCPT TO).

The spec. then requires to check the names, filtering names with the
connecting IP (all other names are crap).  And the spec. requires to
check at most 10 names.  And that's per SMTP session, IMO it's sound.


I'd be tempted to go for something like that, but I think you have
to process MX before PTR if they count against the same limit.


We could replace 10/10/10 (2nd 10 "per mx mechanism", 3rd 10 for the
overall "ptr" limit) by 10/30/10:

1st and 3rd 10 as is, and a new 30 as "total A queries triggered by
mx-mechanisms in a single evaluation".  In practice outside of attack
scenarios this is not very interesting, the q=mx reply often (?) has
all IPs of the MX host names in its additional section.

In that case you might not need any additional query at all per "mx".

But of course an attacker would arrange things in a way where this
shortcut won't work.  It probably also depends on some other factors,
DNS server software, resolver API, number + lengths of MX host names
modulo DNS compression, etc. (and besides I know sh*t about DNS ;-)


I'd be more inclined to set the MX limit to 20 total for all MX
mechanisms


Could we make it clear that 20 is only for *additional* queries, not
counting names already resolved in the q=mx answer ?  Could that fly
with your API ?  With an "nslookup" pseudo-API it should work.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [spf-discuss] 10-20-30 (was: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)]), Frank Ellermann <=
Next by Date:  [spf-discuss] Re: sid-milter questions, Frank Ellermann
Next by Thread:  [spf-discuss] Re: 10-20-30, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]