In
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0508151741550(_dot_)10883-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:
+On Mon, 15 Aug 2005, wayne wrote:
* Can CNAME loops be used to create a DoS attack against the
receiver?
A really long chain will consume memory in order for the receiver to keep
checking for a loop. The sending domain can have a DNS server that computes
the canonical name by adding one to the owner name instead of keeping it
in a database. This would consume arbitrary memory on the receiver while
consuming no memory for the sender.
The receiver will need to keep issuing more DNS requests to
follow the chain, but these will hit the sender domain as well.
Ok, yeah, that could be a slight problem, except:
1) I think most name servers have options to limit the size of the
cache.
2) I think it is pretty easy for an attacker to cause arbitrarily
large numbers of DNS lookups by the receiving MTA. CNAME chains
would not be a significant advantage.
What we don't care about is:
* Can a domain owner shoot themselves in the foot by using CNAMEs?
Then why are we giving PermError for other syntax errors and
things like bad includes?
Well, for two reasons: First, it is a heck of a lot harder to
accidentally create a CNAME chain that is really long than it is to
accidentally type "ip:11.22.33.44" or "prt:foo.com". Second, this is
often dealt with by the resolver and the application can't easily do
anything to prevent the resolver from checking 1000 CNAME chains.
So you are suggesting that receivers follow CNAME chains to any
implementation determined length?
That is my suggestion, yes.
-wayne