http://amir.herzberg.googlepages.com/somerecentpapers
This paper refers to DNS poisoning without fully exploring how SPF
might be used to enable DNS poisoning. SPF might be checked by MUAs
in some cases. More than just resolvers associated with MTAs are
affected, so separate resolvers for MTAs, which themselves might
become poisoned, does not represent a good solution. SPF provides bad
actors access to DNS resolvers that might otherwise be protected by
ACLs. At today's Internet speeds, DNS transactional IDs do not
represent adequate protection. SPF's use of macros ignores this
security venerability. Suggesting the use of DNSSEC is not reasonable
justification for ignoring this problem.
SPF supports the use of macros to access A, AAAA, PTR and TXT DNS
resource records. These macros might expand local-parts within the
email-message, which means SPF records may NOT be fully cacheable.
Subsequent record resolutions can be triggered by the SPF macros,
where as may as one hundred such record resolutions can occur when
resolving a single SMTP source authorization.
These subsequent resolution events can be directed toward both a DNS
resolver under the control of the bad actor to obtain timing and
target information for the remaining tens or hundreds of record
resolutions made against their victim's caching resolvers. This
attack can be renewed by simply changing local-parts within either the
bounce address or the PRA. Perhaps both the bounce address and the
PRA authorization verifications are attempted, which would have the
effect of doubling the amount of traffic.
SPF enables both sustained DDoS attacks and is able to bypass
protections otherwise afforded by ACLs on local resolvers. It seems
that risk should be mentioned in a critical review.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg