Hi,
there have been a lot of objections against RMX due to the
security flaws of DNS. I spent some hours of thinking and
I'd like to address these objections.
While these objections are true on one hand, they are
shortsighted at the other hand. What appears to be a
security flaw at a first glance, can easily be turned into
a double advantage. Let me elaborate this:
First of all: Yes, RMX depends on any kind of directory
service, which has to be reliable (spoof-proof) _and_
isomorph to the domain space at the same time. The bad thing
is, that we currently have only one isomorph directory
service, DNS, and that this is not spoof-proof.
The first consequence is even worse than most antagonists believe.
While I don't believe that spammers significantly success in
poisoning DNS caches, this is vulnerable to a bad DoS attack:
Imagine an attacker wants to block e-mail traffic from
A.com to B.com. All he needs to do is to send a fake message
with sender address A.com to B.com to cause B.com's DNS to
ask for A.com's RMX entry, and to send a fake answer with a
random address in the RMX entry and a long TTL. From now on,
B.com will reject messages from A.com.
But is this a new vulnerability? No. The same attack could have
been achieved by poisoning A.com's DNS cache with a wrong MX record.
Did anyone ask to kill SMTP because of this flaw? No.
While I still agree that this kind of inacceptable DoS
attack exists when using RMX with "old" DNS servers, I'd like
to point out, why this isn't really a security flaw, but can
be turned into a double advantage:
I believe there is consent, that - beyond RMX - DNS is insecure
as it is now, and that this causes much more trouble than just
breaking RMX. OK.
In contrast to other similar proposals, RMX doesn't use existing
A or MX records. It uses a _new_ record type. Who wants to participate
in the RMX game will have to upgrade the DNS server. Is that too much
to ask for? No, since Internet servers are not made for eternity
and need to be upgraded from time to time to fix the latest security
holes anyway.
But if people have to upgrade their DNS servers for RMX anyway,
we can give them a secure DNS at the same time without overhead.
All we need to do is to cooperate with the DNS working group to
develop an improved DNS service at the same time, e.g. have them
implement the nonce extension.
RMX queries will work only with this new security extension, which is
not a constraint, since RMX will require new DNS servers anyway.
All we have to do is to ask DNS server manufacturers to implement
the nonce (or whatever method is chosen) not later than RMX,
advantageously at the same time.
This will have several benefits:
- The DNS security extensions will be widely deployed, since
administrators now have a good reason to upgrade. Thus we will
by the way easily fix the DNS problem, which is not a bad side
effect, is it?
- The RMX records will reliably work and move e-mail security from
zero to a certain level.
Thus, with just a simple single DNS server upgrade - which is much
easier to achieve then to do any MUA changes - we can make two
fundamental internet services easily and cheap much more secure:
DNS and SMTP. Double advantage.
Any further objections?
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg