Re: [CORE] SPF Record ...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan
<ajs@crankycanuck.ca> wrote:

> On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
>>
>> +1 on the idea, but am willing to listen to objections...
>
> Well, the objection is basically that SPF records are possibly a
> vector for large-scale DoS amplification attacks _on the receiving
> client end_.  So they don't affect you, but they cause a lot of
> processing by someone else.

But isn't that only if the receiving end has implemented an SPF policy?  SPF
records aren't even checked if postfix (or the other MTAs) are configured to
check for it ... no?

> In any case, though, SPF records are considerably larger than
> traditional DNS responses, which means much of the time everyone is
> failing back to TCP.  Since a number of non-clueful DNS operators
> think you can block TCP on port 53, it's also a potential way to
> prevent communication.

'lack of a clue' seems to be a bad reason to not use SPF, no?  And, please note
that I wasn't suggesting *we* check SPF, only that we provide an SPF record in
our DNS for those that do check it ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXmMA4QvfyHIvDvMRAnBsAKCGb7g9Gty2ykzHv7+hvrhFRb1MegCgq8Mg
pB5mpSjT3LLNhDJBzZaOON4=
=SLkK
-----END PGP SIGNATURE-----