[ietf-dkim] end-users vs filtering engines
Dave Crocker
dhc at dcrocker.net
Wed Apr 30 17:02:18 PDT 2008
Arvel Hathcock wrote:
>> Is there a sufficiently useful degree of benefit to warrant the
>> (considerable) cost of development, deployment, and use?
>
> What is this question in reference to? The notion of NXDOMAIN lookups or
> ADSP in general?
Arvel,
Very sorry for being so cryptic. While I view the questions as applicable for
any effort, in this case I meant them with respect to any 'protect the
sub-tree' effort. That was why my following comments referred to cousin names.
>> Is the benefit long-term?
>> A cousin domain is sufficiently trivial to use so as to make the intended
>> protection against use of sub-domains meaningless.
>
> That is just a restatement of the view which asserts that because ADSP
> can't protect domains you don't control you therefore needn't bother
> protecting those you do.
My point is that the effective "protection" is zero.
While perhaps it closes off some particular names, it does not close off the
class of attack at all.
It is one thing to have a mechanisms that makes it incrementally more
difficult for an attacker to succeed. It is quite another to make it no harder
at all. If all the attacker has to do is register a new name and use a
string-replacement on their previous attack, we do not have any meaningful
added protections.
>> So the question is what sort of mechanism is going to benefit from
>> locking sub-domains, but not cousin domains? How is the benefit
>> meaningful?
>
> I don't understand the question but I suspect it's a variant of what's
> already been asked and answered. Is there something new here?
Asked, yes. Answered, I don't think so.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the ietf-dkim
mailing list