[ietf-dkim] New Issue: TLD key publication and signing
pbaker at verisign.com
Mon Feb 20 13:25:14 PST 2006
> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Mark Delany
> Presumably a malicious TLD operator can also change what name
> servers answer for your domain in which case they can
> completely assume your identity as far as DKIM is concerned.
While this ability is implicit in the DNS delegation mechanism I think
that what Mark was proposing here was that we consider this as an issue.
It may be that the ultimate solution to this problem is to push it off
onto ICANN but we probably need to understand the scope of what is
implied ourselves before we try to explain it to Twoomey and co.
First let us consider what an upper level TLD can say about a lower
1) .test can assert XXX is a signing key for domain example.test
2) .test can assert all email from example.test is signed
The first of these is somewhat worrying because it means that .test can
create mail for any subdomain and sign it.
The second is more like a Denial of service attack.
I can't see a perfect way out of this problem because one of the things
that people want to do here is to allow domains further down the tree to
be able to assert strong control over their subdomains. So mit.edu can
insist that lcs.mit.edu sign its messages.
A possible solution might be to insist that a signature key record match
the domain exactly unless there was a policy on the subdomain to
explicitly allow superdomain matches.
More information about the ietf-dkim