"Wayne" == Wayne Schlitt
"Re: Re: 'explain' etiquette, or is this a security concern?"
Tue, 20 Apr 2004 13:45:47 -0500
Wayne> I took a look at some old SPF adoption roll data. While
Wayne> only about 0.5% of the domains had exp= modifiers, many of
Wayne> them give specific information that legitimate users would
Wayne> likely want to know. For example, one lists a toll-free
Wayne> number call, another lists the contact email address to
Wayne> help resolve problems. Some list domain-specific websites
Wayne> to visit.
What was 'whois' invented for? What about DNS TXT RRs apart from SPF?
If there is such a need for all this how come none of the experimental
RR types like RP, for example. never became popular?
Wayne> I'm pretty anal about security issues, but I'm having a
Wayne> hard time seeing this as a problem.
What jumps out for me is the possibility of slanderous text in the
SMTP rejection message that would normally be taken as coming from the
the SMTP listener when it actually came from elsewhere. That is an
easy "dirty tricks" type of attack for anyone controlling a DNS zone.
The potential for more technical exploits would seem to be within a
range that many would not consider to be alarming.
Resolving issues like this entails a balance between the usefulness of
the feature and the costs involved. The costs of repeating
explanation text arise from implementation complexity and the ease of
a possibly minor (dirty tricks type) exploit balanced against
essentially duplicating capabilities that already exist elsewhere.
Maybe we can agree on a characterization of the costs and benefits of
repeating the explanation text?
jam