Skip site navigation (1) Skip section navigation (2)

Re: [CORE] SPF Record ...

From: Andrew Sullivan <ajs(at)crankycanuck(dot)ca>
To: pgsql-www(at)postgresql(dot)org
Subject: Re: [CORE] SPF Record ...
Date: 2006-11-17 12:05:24
Message-ID: 20061117120524.GB19153@phlogiston.dyndns.org (view raw, whole thread or download thread mbox)
Thread:
Lists: pgsql-www
On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
> 
> +1 on the idea, but am willing to listen to objections...

Well, the objection is basically that SPF records are possibly a
vector for large-scale DoS amplification attacks _on the receiving
client end_.  So they don't affect you, but they cause a lot of
processing by someone else.

Doug Otis made a presentation about this at IETF67 just last week. 
It's somewhat controversial -- the SPF supporters claim that the
attack is no worse than for any other DNS where one controls the
domain.  

In any case, though, SPF records are considerably larger than
traditional DNS responses, which means much of the time everyone is
failing back to TCP.  Since a number of non-clueful DNS operators
think you can block TCP on port 53, it's also a potential way to
prevent communication.

A

-- 
Andrew Sullivan  | ajs(at)crankycanuck(dot)ca
The fact that technology doesn't work is no bar to success in the marketplace.
		--Philip Greenspun

In response to

Responses

pgsql-www by date

Next:From: Marc G. FournierDate: 2006-11-17 13:03:29
Subject: Re: [CORE] SPF Record ...
Previous:From: Andrew SullivanDate: 2006-11-17 12:00:23
Subject: Re: SPF Record ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group