Re: [spfbis] Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard

[Scott Kitterman <spf2@kitterman.com>]

On Monday, August 26, 2013 19:40:29 S Moonesamy wrote:
> Hello,
> 
> At 13:07 23-08-2013, Douglas Otis wrote:
> >4.6.4.  DNS Lookup Limits
> >
> >Was:
> >,--
> >SPF implementations MUST limit the total number of mechanisms and
> >modifiers ("terms") that cause any DNS query to 10 during SPF
> >evaluation.
> >'--
> >
> >Change to:
> >,---
> >SPF evaluation must limit the number of mechanisms, and the modifier
> >term 'redirect' to occur in no more than10 instances within the
> >evaluation process.  The mechanisms 'ip4', ip6', and 'all' are
> >excluded from this instance limitation.  Each mechanism is permitted
> >to resolve subsequent resource record sets (RRsets) that MUST not
> >contain more than 10 resource records to complete a match check.
> >When the number of instances exceeds 10, or when subsequent
> >resolutions exceeds 10, check_host() MUST produce a "permerror"
> >result.
> >
> >The maximum number of DNS transactions initiated by an SPF
> >evaluation is therefore 1 for the initial SPF resource record, 10 for
> >each mechanism times 10 transactions needed to complete a matching
> >process for a total of 111 DNS transactions.  This number excludes
> >those required by DNS to fulfill a request and those required by an
> >EXP modifier.
> 
> Can the working group address the above comments?

We worked through the language of that section closely in the WG to try and 
make it more comprehensible while retaining correctness.  I don't find the 
proposed text an improvement over the working group's effort.

Scott K