Stephen Farrell wrote:
I remember talking about this a long time ago with Jim as a potential
attack. While it remains so, a TLD operator can even more easily
change your NS records too. So, really, the integrity of the DNS is
hinged on TLD operators not doing such evil things. As such, I don't
think DKIM's vulnerability is any greater than, say, the NS record
for bankofamerica.com, right?
I think that that's correct. But this is a different threat, so we
should note it at least.
Agreed.
If the problem were limited to TLDs, then we would be able to simply say
that the d= in a signature MUST NOT be a TLD. But the problem isn't
just TLDs, but any parent domain, e.g., co.uk, ca.us, k12.ca.us, etc.
In response to some other comments, this isn't a DNS vulnerability. DNS
could be perfectly secure and we would have this problem; it derives
from the fact that DKIM allows parent domains to sign for their
children. So it belongs in the DKIM threats document.
I would probably rate it as a high impact (affects entire domains) but
low likelihood (one has to be the owner of a higher-level domain, and
most of them can probably be trusted not to do this) threat.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html