ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: New Issue: TLD key publication and signing

2006-02-20 04:28:38


> In response to some other comments, this isn't a DNS vulnerability.  DNS
> could be perfectly secure and we would have this problem; it derives
> from the fact that DKIM allows parent domains to sign for their
> children.  So it belongs in the DKIM threats document.

As much as I would like to completely dismiss any DNS-"related" attack to the DNS realm, and not DKIM's, I think your point is well-taken and should be documented, for the reason you give.

That said, I suggest a rather simple note:

The nature of the DNS hierarchy gives quite a bit of power to any domain up the hierarchy.

Once one has the ability to redirect the entire subtree to different servers, the rest of the attacks by a parent (or above) become quibbles.


d/
--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html