ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues

2007-06-05 10:03:11
from [Bill.Oxley] [Permanent Link] 
+1

Bill Oxley
Messaging Engineer
Cox Communications
404-847-6397

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Douglas Otis
Sent: Tuesday, June 05, 2007 11:58 AM
To: Stephen Farrell
Cc: Scott Kitterman; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues


On Jun 4, 2007, at 6:34 PM, Stephen Farrell wrote:

Douglas Otis wrote:


It is not clear why a "no mail sent" assertion must be excluded  
from a policy statement.


Well... because that was the concensus. Feel free to re-read the  
archive, but basically: End of story.


Consensus does not necessarily produce a solution that improves  
security.

Making assertions of "no mail from a domain" remains an important  
aspect for protecting higher overheads in a DKIM process.  This  
assertion efficiently deals with spoofed messages.  Relegating this  
policy to SPF underlines a glaring lack of consideration given security!

Reactions regarding use of wildcards from DSN WGs have been  
predominately "Don't do it."  Limitations regarding new RRs are due  
to a corporate environment established as an integrated solution for  
a commonly desktop solution.  Even overcoming this barrier will still  
confront dangers associated with wildcard abuse.

Unlike other DNS records, wildcards can cause an infinite amount of  
uncached traffic, that while being cached, is not resolved from  
cache.  Often wildcards are utilized by bad actors to deploy random  
labels which happen to be more difficult to filter.  Otherwise  
innocent wildcards can also be exploited a component in some DDoS  
attack as well.

Over the last few years, spammers have  become more malevolent and  
organized.  Their skills can be measured by the growth and nature of  
their networks.  Malware and spam go hand in hand where SPF gives  
this population an effective tool for poisoning DNS or staging a DDoS  
attacks.  Unfortunately, wildcard records also becoming less safe as  
a result of this growing population.

The safe answer would be to require an MX record before accepting a  
message, and publish policy at this location.  As an interim  
solution, also publish policy at the location of other A records as  
well.  The XPTR or any other wildcard scheme will require that these  
records be placed at each and every node within a domain!  How can  
that be safe or sane?

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, Douglas Otis
Next by Date:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, Hector Santos
Previous by Thread:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, Douglas Otis
Next by Thread:  [ietf-dkim] I think we can punt the hard stuff as out of scope., Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]