> In response to some other comments, this isn't a DNS vulnerability. DNS
> could be perfectly secure and we would have this problem; it derives
> from the fact that DKIM allows parent domains to sign for their
> children. So it belongs in the DKIM threats document.
As much as I would like to completely dismiss any DNS-"related" attack to the
DNS realm, and not DKIM's, I think your point is well-taken and should be
documented, for the reason you give.
That said, I suggest a rather simple note:
The nature of the DNS hierarchy gives quite a bit of power to any domain
up the hierarchy.
Once one has the ability to redirect the entire subtree to different
servers, the rest of the attacks by a parent (or above) become quibbles.
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html