On Jul 5, 2006, at 1:09 PM, Michael Thomas wrote:
Mark Delany wrote:
On Wed, Jul 05, 2006 at 08:37:52AM -0700, Michael Thomas allegedly
wrote:
It's my belief that DKIM selectors don't allow CNAME's. Am I
correct?
First off, lets suppose DKIM's query mechanism were a lot like it
is today, but
the base mechnism didn't have CNAME's. Suppose that somebody
proposed
that we should introduce them as a feature. What are:
[ the costs, risks, benefits ]
While interesting, as a practical matter, most verifiers would
have to
go to extraordinary length to reliable detect CNAMEs so I think the
question is mostly moot unless it can be shown that there is a risk
unique to DKIM.
Well, here's one: DKIM often runs during the incoming SMTP
conversation
with its inherent timeouts. Can attackers exploit that fact? What
should a
developer do to minimize risk?
Have a reasonable timeout on any DNS query, treat the message as
unsigned if the public key cannot be retrieved?
There doesn't appear to be any DNS-related risk to the recipient of
the message, as long as the verification code is written with some
care. There are lots of things the sender can do (and a few things a
third party could do) that would break the DNS related bits of DKIM,
but I can't think of a case where anything worse than some excess
DNS traffic followed by the message being treated as unsigned
would happen.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html