On Feb 27, 2006, at 4:31 PM, Jim Fenton wrote:
In fact the larger the record you put in dns, the better target
for such an attack it becomes!
If we were to include this in the threat document, it would need to
go into a new category because it's not a threat to the signature
mechanism nor to SSP, but rather an attack on DNS that might be
facilitated by DKIM. I'm not sure whether this is in-scope for the
threat document or not, but it would be an expansion of its current
scope to include it.
A concern related to DKIM would be to ensure DNS UDP payloads are not
exceeded by the key record response. Not exposing recursive DNS
servers is simply good practices which are not specifically related
to DKIM.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html