[ietf-dkim] New issue: Upward query vs. wildcard publication
Michael Thomas
mike at mtcc.com
Thu Apr 19 14:24:52 PDT 2007
John L wrote:
>> percentages are "normal" vs. "unusual", but my cursory look a
>> long time ago suggested that it met the 80-20 rule.
>
> You are certainly correct that most zones are pretty flat, but this
> sounds like a DOS attack waiting to happen, send out junk with long
> bogus addresses and watch the system on the other end chew up its
> cache crawling up to the SOA. That's why we arbitrarily limited the
> walk in CSV to five levels.
No, it circumvents that problem. It goes like this:
1) query for the name _policy._domainkey.sub.domain.attack.foo.com
2) if you don't get a ssp rr, check to see if it gave
you a NS or SOA authority records.
o If they're available and it's a parent domain of domain
you're querying from, query that label.
3) done.
Thus for:
baz at sub.domain.attack.foo.com
query: _policy._domainkey.sub.domain.attack.foo.com
which returns:
>> NXDOMAIN or NODATA and an authority section SOA of
foo.com. 10800 IN SOA dns-rtp2-2-l.
postmaster.foo.com. 8004725 7200 1800 86
Take the authority domain and try again:
policy._domainkey.sub.foo.com
>> v=DKIM1; o=~; t=y; r=abuse at foo.com
You never go any further than this.
Mike
More information about the ietf-dkim
mailing list