John L wrote:
percentages are "normal" vs. "unusual", but my cursory look a
long time ago suggested that it met the 80-20 rule.
You are certainly correct that most zones are pretty flat, but this
sounds like a DOS attack waiting to happen, send out junk with long
bogus addresses and watch the system on the other end chew up its
cache crawling up to the SOA. That's why we arbitrarily limited the
walk in CSV to five levels.
No, it circumvents that problem. It goes like this:
1) query for the name _policy._domainkey.sub.domain.attack.foo.com
2) if you don't get a ssp rr, check to see if it gave
you a NS or SOA authority records.
o If they're available and it's a parent domain of domain
you're querying from, query that label.
3) done.
Thus for:
baz(_at_)sub(_dot_)domain(_dot_)attack(_dot_)foo(_dot_)com
query: _policy._domainkey.sub.domain.attack.foo.com
which returns:
>> NXDOMAIN or NODATA and an authority section SOA of
foo.com. 10800 IN SOA dns-rtp2-2-l.
postmaster.foo.com. 8004725 7200 1800 86
Take the authority domain and try again:
policy._domainkey.sub.foo.com
>> v=DKIM1; o=~; t=y; r=abuse(_at_)foo(_dot_)com
You never go any further than this.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html