James Craig Burley wrote:
So, SPF queries involve only second-level (or higher) domain names??
Yes, but not for the reason you are thinking of. I'm just saying that *all* [non-reverse] DNS queries should terminate after typically 3 queries, which corresponds to second level domains:
ROOT => TLD => second level domain server
SPF queries are specifically against the bare domain name, so they will always take the minimum number of hops _for a given domain_.
And I believe many people have already experienced unacceptable delays processing incoming email as a result of employing such checks.
YMMV with what is unacceptable.
You're combating a potentially exponential problem with mere multiples of resources.
And you are conflating an _extraordinary_ situation with _ordinary_ operations. For most of us, the spammers are a constant, but unfocused, level of noise. I don't scale my system based on the potential of a directed denial of service, because I *cannot* completely prevent one, no matter how much money I spend. I scale my systems based on normal expected load, which I can affect by adding CPU's to balance the normal load.
Since the whole *point* of this exercise is to determine trustworthiness, we must *assume* that there will be cases of "partial trust" -- you might trust c.d.e's *own* published DNS information, but not *all* of the delegations it makes to its own subdomains.
You already trust c.d.e to delegate all other DNS queries to the server for a.b.c.d.e (that is the way that DNS works). Why shouldn't that trust extend to SPF records. This is also, in my experience, not a realistic situation.
AOL.COM is not going to delegate SOME.SPAMMER.IN.CHINA.AOL.COM to anyone. Most subdomains that I am aware of are used by multinational companies to divide up own their domain namespace, and I assure you that they don't just randomly create subdomains for clients. The in-addr.arpa space is much more casually chopped up than the domain namespace (i.e. there is less control of subdomains by superdomains).
Apparently, with a technology (SPF) that is easily attacked and that does not necessarily even offer us the same ability to inject emails into this "web of trust" that involves the limited scope and Root-closeness enjoyed by the privileged few.
You are still dealing in theoreticals here. I haven't seen any evidence of an exploit that doesn't rely on a DOS which is not preventable in the generic case anyways. And the number of delegated subdomains is vanishingly small (in my experience) to begin with, so this is all a straw man, IMNSHO.
John
