John Levine wrote:
So attacker now gets smarter and sends as
foo(_at_)a(_dot_)b(_dot_)c(_dot_)d(_dot_)example(_dot_)com(_dot_)
Is there a policy record there? No. Can I populate every possible
subdomain there? Not with DNS wildcards, therefore no. Uh-oh.
We ran into just this problem while defining CSV, the "like wildcards
except that we use prefixes" problem. Having gone around this a lot
of times, I think I can say with confidence that there are a lot of
hacks, some rather clever, but there is no good solution.
The suggestion that SSP would fail if a domain doesn't have at least
one of MX, A, or AAAA (perhaps with intervening CNAMEs) is intriguing,
but it would have the effect of adding the same condition to RFC 821
or 2821 since SSP users would thereby decree such mail to be
undeliverable.. I entirely agree that it is unlikely that one will
get legit mail from an address without enough DNS to write back, but
this is severe standards mission creep.
Right and it seems completely orthogonal to the question of "what is the
signing policy of a.b.c.d.example.com?" The question at hand is more of
"does SSP provide inheritance to even possibly non-existent domains?"
Assuming that SSP does, a receiver may or may not want to ask the policy
question, and may or may not ask the exists question. They seem pretty
severable to me.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html