[ietf-dkim] New Issue: Applicability of SSP to subdomains
Michael Thomas
mike at mtcc.com
Fri Dec 8 15:23:58 PST 2006
Eliot Lear wrote:
> Jim,
>
> I'm not sure I fully understand the threat. If an attacker is
> attacking from mail.example.com, then mail.example.com must have been
> delegated to first in example.com. Otherwise, there would be no
> lookup for an SSP record in mail.example.com, right?
>
> I had thought the concern was the wildcard concern about how much
> trust is afforded between superior and inferior domains. In that
> case, I answer, "you pays your money you takes your chances". Don't
> like a particular superior? Find another. If you can't for policy
> reasons, then that's not a technical problem.
>
> What do I have wrong?
It's fairly simple. Let's say I have a policy record setup for:
_policy._domainkey.example.com: "policy=I-sign-everything;"
Then if there's unsigned mail for foo at example.com, I look it up
at example.com, I see that unsigned mail is bogus, life is good.
So attacker now gets smarter and sends as foo at a.b.c.d.example.com.
Is there a policy record there? No. Can I populate every possible
subdomain there? Not with DNS wildcards, therefore no. Uh-oh.
Mike
More information about the ietf-dkim
mailing list