[ietf-dkim] I-D Action:draft-ietf-dkim-ssp-00.txt

Douglas Otis dotis at mail-abuse.org
Fri Jul 6 10:20:19 PDT 2007 

On Jul 5, 2007, at 2:25 PM, Jim Fenton wrote:

> I have seen a few comments on the list, in particular Phillip's  
> comment about the downgrade attack that we need to discuss more.   
> If any of you are holding onto comments, please go ahead.

While Phillip is correct about the downgrade issue, the key record  
would need to be modified instead of an SSP record.  The SSP record  
is only checked when the message is not signed by a domain that is at  
or above the email address domain.

> I'm particularly interested in reactions to the algorithm given in  
> section 4.4.

The only way to provide full coverage without dramatically increasing  
the zone size would be to ensure an SSP record coincides with every  
SMTP discovery record (MX and A).  Deprecation of the A for discovery  
now should exclude use of AAAA records from becoming a problem.  Over  
time, A record discovery could be obsoleted where SSP records would  
only need to coincide with MX records.  The A record discovery aspect  
of SMTP would become obsolete once a MX record for an email-address  
domain becomes a requisite for message acceptance at public SMTP  
servers.  A record discovery could continue to function with the  
sending of messages well after A record discovery becomes deemed  
obsolete to support a acceptance requirement.  This would mean a  
email-address domain lacking an MX record might have trouble sending  
their messages, where some are already finding this to be the current  
state.

> This is another attempt to strike the right balance between  
> security (the SHOULD for subdomain coverage in SSP requirements  
> section 5.1 #4), ease of deployment (trying to avoid doubling the  
> size of zones with extra SSP records), and avoiding creation of  
> unacceptable loads on DNS, and root and TLD name servers in  
> particular.  Speak up if there are any uncovered holes in this  
> algorithm, or where I haven't achieved these goals.

Little is achieved by using wildcards.  Wildcard synthesis blocking  
within the DNS protocol necessitates placement of both a wildcard and  
non-wildcard RRs at every DNS node.  As an alternative, establishing  
tighter conventions upon discovery records actually reduces the  
amount of data published within DNS.  Limited discovery also requires  
fewer DNS transactions, and can be a broadly applied strategy for  
other protocols.  It would also mean that the current strategy of  
prefixed TXT records can be utilized.

Deploying a new wildcard XPTR scheme will necessitate increasing the  
zone size.  The XPTR scheme requires additional transactions which  
will likely to return NXDOMAIN for many years.  Those that fear a new  
RR might not be supported will also need to support an alternative  
method as well.  Unless this alternative depends upon a limited  
discovery record, such as MX or SRV records, the size of the zone  
could grow exponentially larger as other protocols attempt the same  
strategy.  Limiting discovery records is really the only reasonable  
solution for any protocol attempting to establish policy records.

-Doug

More information about the ietf-dkim mailing list