>James Craig Burley wrote: > >>Impressive. But a sufficiently well-endowed server can keep an entire >>IPv4-based data base in RAM, correct? >> >>How large do you think the entire SPF data base would be, for the >>entire Internet, in four to five years, assuming SPF is widely >>deployed? >> >>Do you think it could fit into the RAM for any server in production at >>that time? >> >So why in the world would you ever want every domain in your cache?
You completely missed the point -- *again*. Anytime an SPF (or other DNS) lookup results in a cache miss, some other, upstream or authoritative, *shared* cache or server must be consulted to obtain the necessary info. (If DNS did not depend on a high cache hit rate, there would be little or no need for DNS caches at all.) And it's fairly trivial for an attacker to force a few systems to generate lots of SPF lookups that result in cache misses. That is, at *present*, harder and less useful for attackers to do, if they're trying to inject spam. They can't randomly pick IP addresses to connect from, for example. I already posted a fairly simple experiment people who operate mail servers can do to see for themselves what effects SPF might have, once deployed, under such an attack. Has anyone tried it yet? Or would people rather argue that it's not necessary, and continue to build their skyscrapers out of bricks and mortar? >I got a question for you how many DSL DNS servers does BELLSOUTH have? >DNS is uses for far more then email. So if there were the kinda >problems in DNS you talk about wouldn't it be evident by a million ppl >surfing the net? I mean think about it. 2.5 Million computers, all in >the same time zone. All looking @ websites. That is a big cache >right? So how do they do it? I already explained this, several times: their caches have sufficiently high hit rates, because their lookup patterns exhibit sufficient locality of reference. That's not going to be the case with SPF when under attack. >Please just drop it. If you don't like it then don't use it. But you >arn't going to win a disagreement that DNS doesn't work! I never said it didn't work. I'm saying it's possibly the wrong tool for the job of detecting forgeries, and that it's *probably* going to be overloaded by widespread deployment of SPF. -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>