On Jul 8, 2008, at 7:40 AM, Frank Ellermann wrote:
Stephen Farrell wrote:
Thing 3:
[...]
If you do post text for that please put "caveats" in the
subject as well as 1576.
~~~ old ~~~
= It is possible to add a wildcard TXT record alongside a
= wildcard MX that will provide suitable ADSP records for
= any domain chosen by an attacker, since if the wildcard
= synthesizes chosen-name.example.com IN MX, it will then
= also synthesize _adsp._domainkey.chosen-name.example.com
- IN TXT. However multiple wildcard TXT records produce
- an undefined ADSP result, which means you cannot also
- publish both ADSP records and records for any other
- TXT-using protocol (such as SPF) for a wildcard domain.
~~~ new ~~~
= It is possible to add a wildcard TXT record alongside a
= wildcard MX that will provide suitable ADSP records for
= any domain chosen by an attacker, since if the wildcard
= synthesizes chosen-name.example.com IN MX, it will then
= also synthesize _adsp._domainkey.chosen-name.example.com
+ IN TXT. This practice is NOT RECOMMENDED, as it might
+ not work as expected in the presence of multiple TXT
+ records for different purposes.
Good up to:
When publishers try it
+ anyway, the ADSP record MUST start with "dkim=" followed
+ by one of the registered Outbound Signing Practices as
+ specified in section 5.2.
This provides little benefit unless the record syntax is changed
to offer a reliable defence. The [] denotes an addition made to
the Record Syntax.
4.2.1. Record Syntax
ADSP records use the "tag=value" syntax described in section 3.2 of
[RFC4871].
Tags used in ADSP records are described below [and MUST immediately
begin with the "dkim=" tag.]
~~~ end ~~~
Remove (missing) three-letter acronym expansion for SPF.
Remove (missing) informative RFC 4408 reference.
Add (missing) informative RFC 4592 reference used in 6.3.
Agreed.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html