[ietf-dkim] Base-04 //Security Concerns beyond Zone delegation
dotis at mail-abuse.org
Fri Jul 21 15:56:10 PDT 2006
At the last meetings in Montreal, a few others also mentioned DKIM
introduces a new concern beyond what is normally covered by zone
delegations. There was also a related discussion in dnsop that
related this concern with that of the ongoing problem affecting the
use of a web cookie from allowing the same unverified administrative
assertions now attempting to be repaired. There were previous
attempts to expand upon the limited advice found in the Threat
document for placement within the base Security Considerations that
failed to reach WG consensus. Judging by these comments however, it
seems that addressing this concern succinctly within the draft may
proactively satisfy these concerns.
|4.1.18. Key Publication by Higher Level Domain
| So it is unlikely that a higher level domain would intentionally
| compromise a subdomain in this manner. However, if higher level
| domains send mail on their own behalf, they may wish to publish
| keys at their own level. Higher level domains must employ
| special care in the delegation of keys they publish to ensure
| that any of their subdomains are not compromised by misuse of
| such keys.
Enhanced Zone Delegation Agreements
The deployment of DKIM may require additional agreements extending
beyond those for normal zone delegation. These agreements may be
required to facilitate control over the validation of signing
identities. The validation of DKIM signing identities may involve
keys within a domain not delegated to the domain receiving email for
the affected signing identity. It is possible these agreements might
preclude the publishing of a "_domainkey" subdomain within a parent
domain, or require keys referenced from a parent domain have the "s"
flag set within the key's t= tag value.
More information about the ietf-dkim