[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eric Allman eric+dkim at sendmail.org
Wed Apr 9 10:46:16 PDT 2008 

Dave, I'm not understanding how the algorithm can work if you omit 
step 2 from section 4.2.2.

Suppose that example.com wants to assert to the world that it signs 
all messages.  It will create an ADSP record for example.com with the 
appropriate assertion.  Without step 2, all an attacker has to do is 
to craft a message purported to be from 
"attacker at some.thing.example.com" (where "thing" is not a valid label 
in the example.com domain).  Step 1 fails, because of course there is 
no _adsp._domainkey.some.thing.example.com (i.e., it returns 
NXDOMAIN), so the algorithm falls through to the next step, which is 
now step 3.  Step 3 searches for _adsp._domainkey.thing.example.com, 
which also returns NXDOMAIN, so "the algorithm terminates with a 
result indicating that no ASP record was present" --- and the absence 
of an ADSP record means that unsigned mail must be deemed legitimate. 
Without step 2 there is nothing example.com can do to protect its 
name space.

If that's what you mean when you say "that presumes the goal of 
protecting an entire sub-tree" then I'm all for protecting the entire 
sub-tree.  Anything less looks to me like it severely weakens the 
entire point of ADSP.

eric



--On April 7, 2008 2:32:25 PM -0700 Dave Crocker <dhc at dcrocker.net> 
wrote:

>
>
> robert at barclayfamily.com wrote:
>> Like others I am guessing that you are referring to section 4.2.2
>> step 2.
>
> Yup.
>
>>    Since the domain doesn't exist the administrator can't have
>> been expected to create a policy for it so error seems like the
>> right answer to me.
>
> That presumes the goal of protecting an entire sub-tree.
>
> Absent that goal, the goal is to cover domains that have ADSP
> records.  Very  different scope of effort.
>
>
>> Otherwise to create policies for all of my domains I would have to
>> create policies not just for all existing sub-domains of that
>> domain (which I personally would support) but all conceivable
>> sub-domains of a domain (which I don't think I would).
>
> Again, creating records for every conceivable name -- and no, I
> can't imagine  any reasonable administrator attempting that -- is
> only an issue if there is a  belief that ADSP can 'protect' all
> names in a sub-tree.
>
> d/

More information about the ietf-dkim mailing list