On Fri, 08 Dec 2006 15:23:58 -0800 Michael Thomas <mike(_at_)mtcc(_dot_)com>
wrote:
Eliot Lear wrote:
Jim,
I'm not sure I fully understand the threat. If an attacker is
attacking from mail.example.com, then mail.example.com must have been
delegated to first in example.com. Otherwise, there would be no
lookup for an SSP record in mail.example.com, right?
I had thought the concern was the wildcard concern about how much
trust is afforded between superior and inferior domains. In that
case, I answer, "you pays your money you takes your chances". Don't
like a particular superior? Find another. If you can't for policy
reasons, then that's not a technical problem.
What do I have wrong?
It's fairly simple. Let's say I have a policy record setup for:
_policy._domainkey.example.com: "policy=I-sign-everything;"
Then if there's unsigned mail for foo(_at_)example(_dot_)com, I look it up
at example.com, I see that unsigned mail is bogus, life is good.
So attacker now gets smarter and sends as
foo(_at_)a(_dot_)b(_dot_)c(_dot_)d(_dot_)example(_dot_)com(_dot_)
Is there a policy record there? No. Can I populate every possible
subdomain there? Not with DNS wildcards, therefore no. Uh-oh.
Well, I guess my question would be does a.b.c.d.example.com exist? If not
I think perhaps I don't want their mail in any case.
If SSP limits itself to domains that exist, then doesn't that simplify
things.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html