[ietf-dkim] draft-ietf-dkim-threats-02 nit//Packet Amplification
Douglas Otis
dotis at mail-abuse.org
Thu Apr 6 12:03:03 PDT 2006
,----
|4.3.1. Packet Amplification Attacks via DNS
|
| DKIM contributes indirectly to this attack by requiring the
| publication of fairly large DNS records for distributing public keys.
| The names of these records are also well known, since the record
| names can be determined by examining properly-signed messages. This
| attack does not have an impact on DKIM itself. DKIM, however, is not
| the only application which uses large DNS records, and a DNS-based
| solution to this problem will likely be required.
'____
DKIM might directly contribute to a packet amplification attack.
When an unlimited number signatures are evaluated or a label tree
must be traversed for a list of email-address domains, the level of
targeted network traffic must be considered.
Change to:
| DKIM contributes indirectly to this attack by requiring the
| publication of fairly large DNS records for distributing public keys.
| When published with a wildcard label, the impact these keys might
| have increases when being exploited. DKIM may directly lead to an
| amplification attack without ensuring reasonable limits upon the
| number of verifications per message or the nature of the DNS
| transaction. While DKIM is not the only application using large DNS
| records, caution is required as regulating DNS traffic is problematic.
More information about the ietf-dkim
mailing list