ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

2008-04-09 11:25:49
from [Eric Allman] [Permanent Link] 
Dave, I'm not understanding how the algorithm can work if you omit 
step 2 from section 4.2.2.

Suppose that example.com wants to assert to the world that it signs 
all messages.  It will create an ADSP record for example.com with the 
appropriate assertion.  Without step 2, all an attacker has to do is 
to craft a message purported to be from 
"attacker(_at_)some(_dot_)thing(_dot_)example(_dot_)com" (where "thing" is not 
a valid label 
in the example.com domain).  Step 1 fails, because of course there is 
no _adsp._domainkey.some.thing.example.com (i.e., it returns 
NXDOMAIN), so the algorithm falls through to the next step, which is 
now step 3.  Step 3 searches for _adsp._domainkey.thing.example.com, 
which also returns NXDOMAIN, so "the algorithm terminates with a 
result indicating that no ASP record was present" --- and the absence 
of an ADSP record means that unsigned mail must be deemed legitimate. 
Without step 2 there is nothing example.com can do to protect its 
name space.

If that's what you mean when you say "that presumes the goal of 
protecting an entire sub-tree" then I'm all for protecting the entire 
sub-tree.  Anything less looks to me like it severely weakens the 
entire point of ADSP.

eric



--On April 7, 2008 2:32:25 PM -0700 Dave Crocker <dhc(_at_)dcrocker(_dot_)net> 
wrote:




robert(_at_)barclayfamily(_dot_)com wrote:

Like others I am guessing that you are referring to section 4.2.2
step 2.


Yup.


   Since the domain doesn't exist the administrator can't have
been expected to create a policy for it so error seems like the
right answer to me.


That presumes the goal of protecting an entire sub-tree.

Absent that goal, the goal is to cover domains that have ADSP
records.  Very  different scope of effort.



Otherwise to create policies for all of my domains I would have to
create policies not just for all existing sub-domains of that
domain (which I personally would support) but all conceivable
sub-domains of a domain (which I don't think I would).


Again, creating records for every conceivable name -- and no, I
can't imagine  any reasonable administrator attempting that -- is
only an issue if there is a  belief that ADSP can 'protect' all
names in a sub-tree.

d/



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] use cases for wildcard policy assertions, Siegel, Ellen
Next by Date:  Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree, Dave Crocker
Previous by Thread:  Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree, robert
Next by Thread:  Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]