There have been a lot of discussions going on in the last few days
at NANOG and other dns operations lists that are related to issue of
public recursive dns servers being used to amplify an attacks:
The general description of the problem is that bad guys are sending
spoofed udp packets to servers in a way so that the servers would send
data (to spoofed source) that is considerably larger then the original
request - thus the amplification. For more information, you may want
to read http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
In current case with DNS abuse documented above, most (almost all)
dns servers only have records that a small and so the servers are not
good targets for any significant amplification. So attackers are
basically poisoning recursive nameservers with their own large data
as a way to get them to become good targets and good amplifiers - this
has been quite successful and is currently major issue for dns operations
and security folks.
Getting back to this group work - you are expecting to introduce large
DNS records as a mainstream for many dns servers. This would make such
servers a great target for use in amplification attacks even if those
servers are not configured to do recursion. This is bad and potential
for such an attack and abuse for anyone using DKIM must be documented
and it must be made clear that servers with DKIM records may become
targets for use in DNS amplification attacks. In fact the larger the
record you put in dns, the better target for such an attack it becomes!
Note that there is currently no good solution to this issue for UDP
protocols (most either do TCP-like session establishment before sending
large data or they are engineered so that responses can be limited with
ACLs to only specified group of systems, i.e. local LAN in case of DHCP).
My personal view is that if there is a way to avoid introducing large
records into UDP one query-response situation, that it absolutely must be
done. So I would see as best solution a replacement of public keys in dns
with an approach that uses a lot smaller fingerprints in DNS.
NOTE WELL: This list operates according to