MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues
Damon
deepvoice at gmail.com
Thu Jun 7 08:09:06 PDT 2007
> No, this doesn't change the semantics of DKIM-BASE. The DKIM-Base
> "ignore failures" philosophy is basically "an invalid signature is
> exactly the same as no signature at all: no better and no worse." What
> we're talking about is how the missing/invalid signature case is handled.
>
> -Jim
The document already covers this case. It assumes that anyone doing so
must be a bad actor. Says nothing about good players doing it on
purpose :-)
8.7. Intentionally Malformed Key Records
It is possible for an attacker to publish key records in DNS that are
intentionally malformed, with the intent of causing a denial-of-
service attack on a non-robust verifier implementation. The attacker
could then cause a verifier to read the malformed key record by
sending a message to one of its users referencing the malformed
record in a (not necessarily valid) signature. Verifiers MUST
thoroughly verify all key records retrieved from the DNS and be
robust against intentionally as well as unintentionally malformed key
records.
Regards,
Damon Sauer
More information about the ietf-dkim
mailing list