ietf-asrg
[Top] [All Lists]

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

2009-05-25 11:54:28
http://amir.herzberg.googlepages.com/somerecentpapers

This paper refers to DNS poisoning without fully exploring how SPF might be used to enable DNS poisoning. SPF might be checked by MUAs in some cases. More than just resolvers associated with MTAs are affected, so separate resolvers for MTAs, which themselves might become poisoned, does not represent a good solution. SPF provides bad actors access to DNS resolvers that might otherwise be protected by ACLs. At today's Internet speeds, DNS transactional IDs do not represent adequate protection. SPF's use of macros ignores this security venerability. Suggesting the use of DNSSEC is not reasonable justification for ignoring this problem.

SPF supports the use of macros to access A, AAAA, PTR and TXT DNS resource records. These macros might expand local-parts within the email-message, which means SPF records may NOT be fully cacheable. Subsequent record resolutions can be triggered by the SPF macros, where as may as one hundred such record resolutions can occur when resolving a single SMTP source authorization.

These subsequent resolution events can be directed toward both a DNS resolver under the control of the bad actor to obtain timing and target information for the remaining tens or hundreds of record resolutions made against their victim's caching resolvers. This attack can be renewed by simply changing local-parts within either the bounce address or the PRA. Perhaps both the bounce address and the PRA authorization verifications are attempted, which would have the effect of doubling the amount of traffic.

SPF enables both sustained DDoS attacks and is able to bypass protections otherwise afforded by ACLs on local resolvers. It seems that risk should be mentioned in a critical review.

-Doug






_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg