On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
>
> +1 on the idea, but am willing to listen to objections...
Well, the objection is basically that SPF records are possibly a
vector for large-scale DoS amplification attacks _on the receiving
client end_. So they don't affect you, but they cause a lot of
processing by someone else.
Doug Otis made a presentation about this at IETF67 just last week.
It's somewhat controversial -- the SPF supporters claim that the
attack is no worse than for any other DNS where one controls the
domain.
In any case, though, SPF records are considerably larger than
traditional DNS responses, which means much of the time everyone is
failing back to TCP. Since a number of non-clueful DNS operators
think you can block TCP on port 53, it's also a potential way to
prevent communication.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
The fact that technology doesn't work is no bar to success in the marketplace.
--Philip Greenspun