On Wed, Oct 20, 2004 at 11:49:53AM -0600, Commerco WebMaster wrote:
SPF List Members,
I had sent a message out to the list last week and since have attempted to
contact several SPF testing sites per some feedback to last week's message
in an effort to do the right thing. Thank you to those who responded with
guidance for me on my earlier message.
An event last week started me thinking about recursion in redirect=
statements.
There's a larger problem here that I think you're beginning to touch on,
but don't quite get to: SPF moves the problem of sender nonrepudiation to
DNS space. In essence, the problem becomes DNS RR nonrepudiation.
Apropos Dan Kaminsky's recent work (which highlights problems which
have existed for quite a while; he just puts those problems to novel
nontrivial use), determining whether the RR you're using is the
actual RR becomes a bit of a problem unless you tweak your resolver
such that the mechanisms that allow such trickery are disabled.
The problem is no longer cache poisoning, though that's still an issue;
the problem becomes larger, in that you've got to worry about the source
of the redirect itself, and the validity of the host to which it
redirects. You see, in DNS, one can redirect to any host without
constraint (as demonstrated by Kaminsky's work, and others). Thus,
one could simply serve what looks like an authoritative RR.
Unfortunately, I don't believe any of the existing SPF tools include
their own implementation of a resolver, and thus rely on host
configuration, and in turn the configuration of whichever nameservers
the resolver is using.
This sort of thing is a problem that limiting recursion depth won't
solve.
--
Mark C. Langston GOSSiP Project Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org http://sufficiently-advanced.net
mark(_at_)seti(_dot_)org
Systems & Network Admin Distributed SETI Institute
http://bitshift.org E-mail Reputation http://www.seti.org