[ietf-dkim] Threats Issue - Large DNS records make servers targets
for spoofed source amplification attacks abuse
fenton at cisco.com
Mon Feb 27 22:34:06 PST 2006
> On Mon, 27 Feb 2006, Jim Fenton wrote:
>>> Getting back to this group work - you are expecting to introduce large
>>> DNS records as a mainstream for many dns servers. This would make such
>>> servers a great target for use in amplification attacks even if those
>>> servers are not configured to do recursion. This is bad and potential
>>> for such an attack and abuse for anyone using DKIM must be documented
>>> and it must be made clear that servers with DKIM records may become
>>> targets for use in DNS amplification attacks. In fact the larger the
>>> record you put in dns, the better target for such an attack it becomes!
>> If we were to include this in the threat document, it would need to go
>> into a new category because it's not a threat to the signature mechanism
>> nor to SSP, but rather an attack on DNS that might be facilitated by
>> DKIM. I'm not sure whether this is in-scope for the threat document or
>> not, but it would be an expansion of its current scope to include it.
> It is definitely something that people considering DKIM should be
> aware of so it should be in threats documents and if you think you
> need new category - do it. Part of this problem is directly threat to
> DKIM (as opposed to threat because of DKIM) as such abuse of DKIM
> public key records would result in denial of service attack on dns
> server serving the records and thus denial of service on DKIM
> verification process. But this is rather one of the after-effects then
> a source of the problem.
That's one vote in favor of including this sort of threat in the threats
document. Other opinions?
More information about the ietf-dkim