[ietf-dkim] CNAME's
Mark Delany
MarkD+dkim at yahoo-inc.com
Wed Jul 5 13:33:13 PDT 2006
> Well, here's one: DKIM often runs during the incoming SMTP conversation
> with its inherent timeouts. Can attackers exploit that fact? What should a
> developer do to minimize risk?
Can you elaborate on how CNAME in particular comes into play here?
If the SMTP server does any DNS queries at all, whether that be for
DKIM, reverse mapping, RBLs, PKIX servers or any other modern-day
goop, then those queries can easily have CNAMEs in the chain. Even
just following the NS tree down to the authoritative server for the d=
domain in question can easily have CNAMEs that a client/cache already
follows today.
The only question can be, does a CNAME immediately prior to the final
TXT/DKK RR add a threat that is different from CNAMEs encountered
earlier in the lookup process.
Mark.
More information about the ietf-dkim
mailing list