Lokup limit being reached one lookup earlier than it should

[anhdowastaken]

Hi,

I have seen "lookup limit reached" error when performing SPF check on "microsoft.com":

$ go version
go version go1.17.9 darwin/amd64

$ git remote -v
origin	[email protected]:albertito/spf.git (fetch)
origin	[email protected]:albertito/spf.git (push)

$ git log -1
commit d9db5f70c02968c3f05c5c516ce520a4d1bc4397 (HEAD -> master, origin/master, origin/HEAD)
Author: Alberto Bertogli <[email protected]>
Date:   Sat Mar 19 10:50:36 2022 +0000

    gitlab-ci: Update "go get" to "go install"

    Our use of "go get" to install binaries is deprecated, update it to "go
    install".

$ go run spf-check.go -debug 1.2.3.4 [email protected]
Sender: [email protected]
IP: 1.2.3.4
debug: check "microsoft.com" 1
debug: dns record "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com include:_spf1-meo.microsoft.com -all"
debug: check "_spf-a.microsoft.com" 2
debug: dns record "v=spf1 ip4:216.99.5.67 ip4:216.99.5.68 ip4:202.177.148.100 ip4:203.122.32.250 ip4:202.177.148.110 ip4:213.199.128.139 ip4:213.199.128.145 ip4:207.46.50.72 ip4:207.46.50.82 ip4:65.55.42.224/28 ip4:13.78.233.182 include:spf.protection.outlook.com ~all"
debug: check "spf.protection.outlook.com" 3
debug: dns record "v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all"
debug: check "spfd.protection.outlook.com" 4
debug: dns record "v=spf1 ip4:51.4.72.0/24 ip4:51.5.72.0/24 ip4:51.5.80.0/27 ip4:20.47.149.138/32 ip4:51.4.80.0/27 ip6:2a01:4180:4051:0800::/64 ip6:2a01:4180:4050:0800::/64 ip6:2a01:4180:4051:0400::/64 ip6:2a01:4180:4050:0400::/64 -all"
debug: fail matched all
debug: fail matched all
debug: softfail matched all
debug: check "_spf-b.microsoft.com" 5
debug: dns record "v=spf1 include:_spf-mdm.microsoft.com ip4:207.46.22.35 ip4:207.46.22.98/29 ip4:217.77.141.52 ip4:217.77.141.59 ip4:203.32.4.25 ip4:131.107.0.0/16 ip4:23.103.224.0/19 ip4:206.191.224.0/19 ip4:65.52.80.137/32 ip4:51.140.75.55 ip4:13.70.32.43 ~all"
debug: check "_spf-mdm.microsoft.com" 6
debug: dns record "v=spf1 ip4:134.170.113.0/26 ip4:131.253.30.0/24 ip4:157.56.120.128/26 ip4:134.170.174.0/24 ip4:134.170.141.64/26 ip4:134.170.143.0/24 ip4:157.58.249.3 ip4:65.55.29.77 ip4:131.253.121.0/26 -all"
debug: fail matched all
debug: softfail matched all
debug: check "_spf-c.microsoft.com" 7
debug: dns record "v=spf1 ip4:213.199.138.181 ip4:213.199.138.191 ip4:207.46.52.71 ip4:207.46.52.79 ip4:86.61.88.25 ip4:167.220.67.232/29 ip4:157.58.196.96/29 ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 ip4:52.250.126.174 ~all"
debug: softfail matched all
debug: check "_spf-ssg-a.microsoft.com" 8
debug: dns record "v=spf1 include:_spf-ssg-a.msft.net ip4:52.185.106.240/28 ip4:207.46.200.0/27 ip4:207.46.50.192/26 ip4:65.55.234.192/26 ip4:65.55.52.224/27 ip4:52.234.172.96/28 ip4:167.220.67.238 ip4:51.4.71.62 ip4:20.94.180.64/28 ip4:131.253.121.20 ip4:131.253.121.52 ~all"
debug: check "_spf-ssg-a.msft.net" 9
debug: dns record "v=spf1 ip4:20.63.210.192/28 ip4:52.236.28.240/28 ip4:103.9.8.121 ip4:103.9.8.122 ip4:103.9.8.123 ip4:42.159.163.81 ip4:42.159.163.82 ip4:42.159.163.83 ip4:134.170.27.8 ip4:52.251.55.143 ip4:52.237.141.173 ip4:40.112.65.63 ip4:104.215.186.3 ~all"
debug: softfail matched all
debug: softfail matched all
debug: check "spf-a.hotmail.com" 10
debug: dns record "v=spf1 ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all"
debug: softfail matched all
debug: check "_spf1-meo.microsoft.com" 11
debug: dns record "v=spf1 ip4:52.165.175.144 ip4:52.247.53.144 ip4:157.55.254.216 ip4:13.74.143.28 ip4:104.214.25.77 ip4:207.46.225.107 ip4:51.137.58.21 ip4:138.91.172.26 ip4:52.250.107.196 ip4:13.92.31.129 ip4:40.77.102.222 ip4:51.144.100.179 ip4:52.160.39.140 ip4:52.244.206.214 ip4:13.72.50.45 ~all"
debug: lookup limit reached
debug: include ok, permerror lookup limit reached
Result: permerror
Error: lookup limit reached

According to https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4, I understand the default limit is 10. However in the package, the DNS query for the SPF policy record itself counts towards that limit but other packages/libs do not. For example, when I check with https://dmarcly.com/tools/spf-record-checker, the "microsoft.com" domain has exactly an SPF DNS lookup count of 10.

I understand I can use the OverrideLookupLimit() function to change the limit. However I would like to report this issue and hear your comment whether it's a bug.

[albertito]

Thanks a lot for reporting this!

I think you are correct: the library is counting the initial resolution as a resolution for the purposes of the lookup limits, and it shouldn't as per the standard.

I'm working on a fix.

[albertito]

This should be fixed in commit 48ee700, which is in the next branch.

I've tested that it now resolves microsoft.com as expected, and added some tests to prevent future regressions.

Note I've also added your name and email in the commit message, let me know if you prefer to be credited in another way, and I'll amend the patch.

Once it's gotten a bit more exposure and if everything goes well, I'll move it to master as usual.

Thanks again!

[anhdowastaken]

@albertito Thanks for your fix. I highly appreciate your mention <3

[albertito]

The fix is now in the master branch, and included in v1.4.0.

Thank you!