Well, here's one: DKIM often runs during the incoming SMTP conversation
with its inherent timeouts. Can attackers exploit that fact? What should a
developer do to minimize risk?
Can you elaborate on how CNAME in particular comes into play here?
If the SMTP server does any DNS queries at all, whether that be for
DKIM, reverse mapping, RBLs, PKIX servers or any other modern-day
goop, then those queries can easily have CNAMEs in the chain. Even
just following the NS tree down to the authoritative server for the d=
domain in question can easily have CNAMEs that a client/cache already
follows today.
The only question can be, does a CNAME immediately prior to the final
TXT/DKK RR add a threat that is different from CNAMEs encountered
earlier in the lookup process.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html