Re: [CORE] SPF Record ...

On 17 Nov 2006 at 21:33, Marc G. Fournier wrote:

>
>
> --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan
> <ajs@crankycanuck.ca> wrote:
>
> > On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
> >>
> >> +1 on the idea, but am willing to listen to objections...
> >
> > Well, the objection is basically that SPF records are possibly a
> > vector for large-scale DoS amplification attacks _on the receiving
> > client end_.  So they don't affect you, but they cause a lot of
> > processing by someone else.
>
> But isn't that only if the receiving end has implemented an SPF policy?  SPF
> records aren't even checked if postfix (or the other MTAs) are configured to
> check for it ... no?

Correct.

> > In any case, though, SPF records are considerably larger than
> > traditional DNS responses, which means much of the time everyone is
> > failing back to TCP.  Since a number of non-clueful DNS operators
> > think you can block TCP on port 53, it's also a potential way to
> > prevent communication.
>
> 'lack of a clue' seems to be a bad reason to not use SPF, no?  And, please note
> that I wasn't suggesting *we* check SPF, only that we provide an SPF record in
> our DNS for those that do check it ...

Noted.  That is what was proposed.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php