[ietf-dkim] Re: Replay attacks, what's that?
Douglas Otis
dotis at mail-abuse.org
Sun Aug 7 01:52:05 PDT 2005
On Sun, 2005-08-07 at 08:06 +0100, Tony Finch wrote:
> On Sat, 6 Aug 2005, Douglas Otis wrote:
> >
> > User-keys in DNS could have a significant impact on DNS traffic. When
> > compared to the overall traffic carried by the the messages, this would
> > represent just a percentage of increase. But when considering the
> > impact on DNS cache, the effects could be far greater. Perhaps one
> > solution for protecting the DNS cache would be to severely limit any TXT
> > or KEY record's TTL. However, short TTLs for user-keys AND domain-keys
> > would impact the overall performance of email, as every operation would
> > likely suffer a DNS lookup, with perhaps an increase in the already high
> > DNS response loss rate. With long time-outs and damage to DNS cache,
> > the affect that user-keys may have on DNS could be damaging other
> > applications as well.
>
> DNS performance depends on the cacheing of NS records, not leaf records,
> so forcing short TTLs on DKIM records won't have much impact.
Increasing the amount of DNS traffic will impact the time required to
obtain any requisite DNS record for any application. I was attempting
to include both possible strategies, one with a higher level of DNS
traffic when key records bypass the DNS cache as a reaction to user-key
use, or one where the DNS cache may be unable to accommodate the
resulting orders of magnitude increase in resource record data. Again,
I think this requires study. The traffic generated by user-keys in DNS
would be further increased when the DNS cache is bypassed for just these
records.
-Doug
More information about the ietf-dkim
mailing list