spf-discuss
[Top] [All Lists]

Re: Can SPF identify wildcard domain forgery?

2004-08-26 17:17:40

On Thu, 26 Aug 2004, Mark Shewmaker wrote:

On Thu, 2004-08-26 at 07:22, william(at)elan.net wrote:
On Thu, 26 Aug 2004, Roger Moser wrote:

Shelby, again: The spammer cannot find out that there is a subdomain
user._spf.example.com. If your name server allows to find out the names of
the subdomains, then it is misconfigured and you should immediatley fix 
it.

That is not quite so if you configure DNSSEC, since then you must allow for 
transfer of entire zone (signed obviously) and this reveals all subdomains.
This has been one of the problems that maybe stopping wider use of DNSSEC.

What happens to dynamic lookups then?

Say you set up hashme.example.com to return hashes, so that a query to
variable.hashme.example.com returns a 4-byte hash of "variable"?

Would DNSSEC require that you allow zone transfers of all possible
values of "variable" for variable.hashme.example.com?
 
Dynamic lookups can not easily be supported with DNSSEC at least not the 
last time I looked the RFCs. The recommended way around would be to have 
each zone signed at the time you request it (dymanic signing, which as you 
imagine would cause high cpu load and possible necessity for new hardware
device to be able to do it without impacting perfomance).

At the same time if you do have dymanic dns data, you already have some 
problems today with clients that cache the results longer then what you 
put in SOA (which would have to be very low value indeed). DNS is not the 
best database system for dynamicly updated records that change often...

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam Research Work:
 http://www.elan.net/~william/asrg/