Dave Crocker wrote:
As much as I would like to completely dismiss any DNS-"related" attack
to the DNS realm, and not DKIM's, I think your point is well-taken and
should be documented, for the reason you give.
That said, I suggest a rather simple note:
The nature of the DNS hierarchy gives quite a bit of power to any
domain up the hierarchy.
Once one has the ability to redirect the entire subtree to
different servers, the rest of the attacks by a parent (or above) become
quibbles.
It should be noted that the only thing this affects is SSP.
A delegation cannot be overridden for selectors with the
exception of gross manipulation of NS records which is not
a dkim specific threat.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html