In the DKIM case, however, Verisign is able to quietly purport to be
bankofamerica.com without breaking anything in place (as they would if
they attempted to clobber our own _domainkey RRs, or redirect DNS
lookups elsewhere via rogue NS records).
If I were an evil TLD registrar, I would have no trouble setting up a
few servers that mirrored the data on the real bofa servers with
nefarious records mixed in, and delegating your domain to them, so
that everything would look normal except for the stuff I deliberately
added or changed. In fact, even though I am not (as far as I know) an
evil TLD registrar, I have stunt servers doing that sort of thing for
un-nefarious purposes now.
The entire structure of the DNS is based on successive delegations
from the root on down, and anyone above you can screw up your domains
any way he wants. That's a feature, not a bug.
RFC 3833 already has a threat analysis of the DNS. Please, let's just
point to that and be done with it.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html