[ietf-dkim] CNAME's
Steve Atkins
steve at blighty.com
Wed Jul 5 13:26:24 PDT 2006
On Jul 5, 2006, at 1:09 PM, Michael Thomas wrote:
> Mark Delany wrote:
>
>> On Wed, Jul 05, 2006 at 08:37:52AM -0700, Michael Thomas allegedly
>> wrote:
>>
>>
>>>>> It's my belief that DKIM selectors don't allow CNAME's. Am I
>>>>> correct?
>>>>>
>>
>>
>>> First off, lets suppose DKIM's query mechanism were a lot like it
>>> is today, but
>>> the base mechnism didn't have CNAME's. Suppose that somebody
>>> proposed
>>> that we should introduce them as a feature. What are:
>>>
>>
>> [ the costs, risks, benefits ]
>>
>> While interesting, as a practical matter, most verifiers would
>> have to
>> go to extraordinary length to reliable detect CNAMEs so I think the
>> question is mostly moot unless it can be shown that there is a risk
>> unique to DKIM.
>>
> Well, here's one: DKIM often runs during the incoming SMTP
> conversation
> with its inherent timeouts. Can attackers exploit that fact? What
> should a
> developer do to minimize risk?
Have a reasonable timeout on any DNS query, treat the message as
unsigned if the public key cannot be retrieved?
There doesn't appear to be any DNS-related risk to the recipient of
the message, as long as the verification code is written with some
care. There are lots of things the sender can do (and a few things a
third party could do) that would break the DNS related bits of DKIM,
but I can't think of a case where anything worse than some excess
DNS traffic followed by the message being treated as unsigned
would happen.
Cheers,
Steve
More information about the ietf-dkim
mailing list