,----
|4.3.1. Packet Amplification Attacks via DNS
|
| DKIM contributes indirectly to this attack by requiring the
| publication of fairly large DNS records for distributing public keys.
| The names of these records are also well known, since the record
| names can be determined by examining properly-signed messages. This
| attack does not have an impact on DKIM itself. DKIM, however, is not
| the only application which uses large DNS records, and a DNS-based
| solution to this problem will likely be required.
'____
DKIM might directly contribute to a packet amplification attack.
When an unlimited number signatures are evaluated or a label tree
must be traversed for a list of email-address domains, the level of
targeted network traffic must be considered.
Change to:
| DKIM contributes indirectly to this attack by requiring the
| publication of fairly large DNS records for distributing public keys.
| When published with a wildcard label, the impact these keys might
| have increases when being exploited. DKIM may directly lead to an
| amplification attack without ensuring reasonable limits upon the
| number of verifications per message or the nature of the DNS
| transaction. While DKIM is not the only application using large DNS
| records, caution is required as regulating DNS traffic is problematic.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html