Michael Thomas wrote:
We've thought quite a lot about this and it really looks like the only
reasonable
way to deal with this is to segregate the traffic into different
subdomains (yes,
I hear the groans) with different policies. The alternative is that
you need to
enumerate all of the policies at one level of the DNS tree which is
unattractive
given MTU considerations. Thus, you'd want:
_policy._domainkey.biz.santronix.com. IN TXT "o=!;"
_policy._domainkey.santronix.com. IN TXT "o=-;"
or something like that.
There is one other option, which is to make signing policy granular at
the user level (o=^, or USER in Hector's terminology). This needs more
analysis, but may involve a lot of DNS lookups (plus the potential for
an attacker to cause more by sending lots of messages from random
addresses in the domain).
-Jim