ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Are lookalike domains like parent domains?

2008-05-01 02:47:23
from [Charles Lindsey] [Permanent Link] 
On Wed, 30 Apr 2008 21:02:21 +0100, Arvel Hathcock  
<arvel(_dot_)hathcock(_at_)altn(_dot_)com> wrote:


Now suppose that the attacker decides to send the mail from
doesnt-exist.example.com.  Note that this sub-domain is still part of
example.com yet since "doesnt-exist" doesn't exist there is no way the
administrator at example.com could have deployed an ADSP record for it
and where there is no ADSP record, the algorithm requires a result of "I
do not sign everything."  Thus is ADSP defeated and we become, in my
view, a laughing stock for overlooking an obvious hole in our algorithm.

Enter the NXDOMAIN check.  If, as part of the ADSP algorithm, an
NXDOMAIN check is performed, the algorithm can quickly detect that the
domain doesn't exist and that _this_ might be the reason there is no
ADSP record.  This added insight closes the hole and can be used by
filtering agents.


Or alternatively, enter the Treewalk, which also cures the problem (at  
least to the level the treewalk is taken to).


The debate has shifted from outright hostility to any NXDOMAIN check at
all (complete elimination of it in it's entirely) to just removing it
from a required algorithmic step and instead referencing it
non-normatively with some version of "this is a good idea that you might
want to think about if you're not already doing it."


I am not so sure the denate has shifted to the extent you imagine. And the  
trouble with non-normative text is that it is non-normative. You cannot be  
sure that people will take the hint. Currently some sites already do it,  
but many don't.

So my preference is still for treewalking, at least to the depth of 2 as  
advocated in the present draft. And by all means add that non-normative  
remark as well, just to encourage good practice. The advantage of the  
treewalking is that it IS within our remit to include normative mention of  
it.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] subdomain strawpoll, Stephen Farrell
Next by Date:  Re: [ietf-dkim] subdomain strawpoll, Eliot Lear
Previous by Thread:  [ietf-dkim] subdomain strawpoll, Stephen Farrell
Next by Thread:  Re: [ietf-dkim] Are lookalike domains like parent domains?, Eliot Lear
Indexes:  [Date] [Thread] [Top] [All Lists]