ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] Re: New Issue: TLD key publication and signing

2006-02-14 19:56:10
Michael Thomas wrote:
   I remember talking about this a long time ago with Jim as a
potential
   attack. While it remains so, a TLD operator can even more easily
   change your NS records too. So, really, the integrity of the DNS is
   hinged on TLD operators not doing such evil things. As such, I
don't
   think DKIM's vulnerability is any greater than, say, the NS record
   for bankofamerica.com, right?

I doubt that many nameserver implementations are querying Verisign's
nameservers for bankofamerica.com's A record directly, but rather for
the NS record. Even with that being the case, they could redirect the NS
request somewhere evil, the impact there is obvious breakage.

In the DKIM case, however, Verisign is able to quietly purport to be
bankofamerica.com without breaking anything in place (as they would if
they attempted to clobber our own _domainkey RRs, or redirect DNS
lookups elsewhere via rogue NS records).

Note, lest anyone get any funny ideas, that I don't actually think
Verisign would attempt this, and I'm not concerned for my personal
welfare as I doubly doubt they'd attempt it on a high-visibility target.
I just find them useful examples. You may substitute example.cn if you
prefer.

-- Mike
_______________________________________________
NOTE WELL: This list operates according to 
http://dkim.org/ietf-list-rules.html