Mailing List Archive: SPF: Discuss

10-20-30 (was: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)])

Index | Next | Previous | View Threaded

nobody at xyzzy

Oct 31, 2006, 10:34 PM

Post #1 of 2 (642 views)
Permalink

10-20-30 (was: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)])

Scott Kitterman wrote:

>> To damp Doug's attack without counting bytes (shudder) maybe a total
>> limit of about 40 queries (10 mechanisms + 30 names) would do, or is
>> that too liberal / too conservative ?

> I think that's on the right track.

> The problem as I understand it is that some IP addresses on shared
> hosts have huge numbers of PTR records.

The "ptr" part is IMO solved, you do that at most once per connecting
IP (i.e. at most once per SMTP session, no matter how many mails and
how many RCPT TO).

The spec. then requires to check the names, filtering names with the
connecting IP (all other names are crap). And the spec. requires to
check at most 10 names. And that's per SMTP session, IMO it's sound.

> I'd be tempted to go for something like that, but I think you have
> to process MX before PTR if they count against the same limit.

We could replace 10/10/10 (2nd 10 "per mx mechanism", 3rd 10 for the
overall "ptr" limit) by 10/30/10:

1st and 3rd 10 as is, and a new 30 as "total A queries triggered by
mx-mechanisms in a single evaluation". In practice outside of attack
scenarios this is not very interesting, the q=mx reply often (?) has
all IPs of the MX host names in its additional section.

In that case you might not need any additional query at all per "mx".

But of course an attacker would arrange things in a way where this
shortcut won't work. It probably also depends on some other factors,
DNS server software, resolver API, number + lengths of MX host names
modulo DNS compression, etc. (and besides I know sh*t about DNS ;-)

> I'd be more inclined to set the MX limit to 20 total for all MX
> mechanisms

Could we make it clear that 20 is only for *additional* queries, not
counting names already resolved in the q=mx answer ? Could that fly
with your API ? With an "nslookup" pseudo-API it should work.

Frank

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

julian at mehnle

Nov 1, 2006, 3:39 AM

Post #2 of 2 (587 views)
Permalink

Re: 10-20-30 [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Scott Kitterman wrote:
> > I'd be more inclined to set the MX limit to 20 total for all MX
> > mechanisms
>
> Could we make it clear that 20 is only for *additional* queries, not
> counting names already resolved in the q=mx answer ? Could that fly
> [...] ?

No, because that wouldn't be deterministic. It would depend on the
nameserver's condition, which is bad.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFSIdcwL7PKlBZWjsRAjSEAJ44BS7nvN5pTvR0Corz8CGDsN9hCQCglizx
Ur5h4+UBC4lks5EavCsSdfU=
=pp+j
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads