On Dec 14, 2007, at 9:30 AM, Frank Ellermann wrote:
Hector Santos wrote:
IMHO, 2821bis should state that "putting CNAMES as the target of
MX records is not allowed, as stated in RFC 2181"
Good idea, maybe it helps to reduce the debates about this issue.
Agreed.
this still won't change the BCP requirement for "Industry Ready"
software to recognize it.
That BCP has no number yet, and Doug can be very creative to turn
anything in DNS into some kind of attack, with a slight prejudice
against SPF's mx-mechanism ;-)
Ouch. The macro expansion of SPF can initiate subsequent DNS
transactions against domains constructed from email header and
parameter components passed to the processing routines. These
automatically generated transactions thereby permit a cached RR to
generate sizeable amounts of independently targeted traffic trigged by
spam, but not logged by SMTP. The spam and SPF records can be crafted
to facilitate DNS poisoning and/or DDoS attacks at _zero_ additional
cost to spammers. Do not describe my concern as a _slight_
prejudice. MX records were used to just demonstrate this concern with
available open-source SPF routines. Imagine how bad it might get when
full IPv6 support is added to accommodate RFC 3974. :^(
-Doug