Markley, Mike wrote:
Frank Ellermann wrote:
Hi, that sounds like a general "bug" or "feature" not limited
to TLDs, it would be the same with say ac.uk or navy.mil SLDs,
or any other domain with "independent" (zone cut) subdomains.
That's true, but domains under navy.mil are (presumably) operated by
subgroups within the organization that operates navy.mil. This is not
true of a TLD.
IMO, the ac.uk case is identical to the .com case, beyond having two
points (.ac.uk and .uk) at which a _domainkey record could be used to
assert the identity of another.
While I agree that the general case is interesting and should be
documented, I believe that there's (somewhat) more risk to the specific
case of a TLD (or second- and even third-level registrars), since those
are entities that are generally organizationally independent of the
domains within their namespace.
I remember talking about this a long time ago with Jim as a potential
attack. While it remains so, a TLD operator can even more easily
change your NS records too. So, really, the integrity of the DNS is
hinged on TLD operators not doing such evil things. As such, I don't
think DKIM's vulnerability is any greater than, say, the NS record
for bankofamerica.com, right?
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html