I remember talking about this a long time ago with Jim as a potential
attack. While it remains so, a TLD operator can even more easily
change your NS records too. So, really, the integrity of the DNS is
hinged on TLD operators not doing such evil things. As such, I don't
think DKIM's vulnerability is any greater than, say, the NS record
for bankofamerica.com, right?
Right.
DKIM uses the DNS for storing sensitive information. The DNS already holds
information sensitive to the useful operation of the Internet.
So I can't imagine that a DKIM threat analysis should be held accountable for
discussing DNS exposures, other than to note that the correctness of DKIM
information depends upon safe and secure DNS admin and ops.
Really, to say more strikes me as trying to boil the ocean.
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html