In your letter dated Wed, 16 Sep 2015 09:51:31 -0400 you wrote:
There are other operational differences that call "about as
expensive" into question. While arrangements differ from one
provider to the next and in part because of spam and related
problems, many SMTP servers are aggressively monitored.
Rate-limiting is common as is connection filtering based on
sender address ranges and other protections. All SMTP
connections are over TCP, which facilitates the above. DNS
queries are, in my experience, typically less aggressively
monitors and filtered. The I-D recommends using TCP for
OPENPGPKEY queries, but my (admittedly poor) memory of DNS
protocol details suggests that, if one only wanted to determine
the presence of a record and didn't care about the key, a UDP
query could be used, making some of the protections that are
used by SMTP servers even more difficult.
This seems to be a great way to block a lot of progress.
If you start storing more sensitive data is a server or service, then
obviously you need to upgrade the protection and monitoring.
Claiming that just because when today there is no monitoring due to the lack of
sensitive data, there cannot be a proposal to store something else sounds
very circular to me.
If this line of reasoning was applied to the Internet as whole then we would
still have nothing more than an academic research project.
In this context, there is no point in spoofing the source address of a
UDP DNS query because the attacker would need the reply. So monitoring and
rate limiting should work as well for UDP as for TCP.
There is also no SMTP equivalent of hiding one's DNS query by
the use of forwarders or caching servers rather than direct use
of authoritative ones.
In my experience, spammers seem to have access to botnets. So in many
cases the origin of an SMTP connection is already hidden.
If UDP is, in fact, possible, then the DNS query is inherently
less expensive than opening a mail transaction and also exposes
the attacker to at least slightly lower odds of detection,
identification, or blocking.
If you have to include a valid source address, how does that lower the odds
of detection, etc?
Yes UDP is less expensive than TCP. However, that only becomes an issue
if lack of resources on either client or server side has an effect on the
attack.
It is safe to assume that a server should start some kind of rate limiting
long before resource exhaustion becomes an issue.
So "about as expensive" may not be true, especially if
effectiveness is weighed into the equation. At a minimum, the
conditions are different enough that a probe to one cannot be
equated to a probe to the other.
FWIW, some of the issues above are closely related to the
reasons I want to see the "experiment" described. If we can
anticipate possible issues, asking people to monitor for them
and report on them seems reasonable... and not doing so seems a
little irresponsible.
A completely random idea. But maybe worth experimenting with is doing the
same thing over SMTP:
Require a TLS connection, probably to the mail submission port, with a
DANE record (to get the same sort of security as in this draft) with an
'OPENPGP <mail-address>' command.
The advantage is that the LHS issues are gone. The question is if access to
port 587 is generally open to mail user agents and whether mail servers can
allow anonymous access to that port.