On 5/6/15 11:51 AM, Hector Santos wrote: > On 5/6/2015 2:13 PM, Douglas Otis wrote: >> >> The real problem in using double signature schemes is expiry >> will be long enough to support significantly large campaigns >> that can't be stopped even after being detected unless DKIM >> signatures are pulled. Then of course, this creates nasty >> DNS handling issues and potentially high levels of >> collateral damage. > > I think you are overstating this. Remember, there are DDoS > and load controls already in place. DKIM will not exert > any more pressure on DNS that already exist. We are also > very comfortable with the resilience of DNS software, > advanced caching methods, and higher, lower cost, powered > machines allowing us to scale up, rather than scale out. > > The real problem with double signatures is that is more > additional coding work is required and there are too many > design assumption ifs making it inherently more complex > and higher barrier to adoption compared to the baseline, > simpler DNS call method.
Dear Hector, Defending against DDoS is very difficult, but that was not the concern. Collateral damage would be of legitimate messages inadvertently blocked when removing a common DKIM signature. There is also the challenge of managing a double-signature re-signing process where it must be assumed not all destinations receive a signature delegation. Even this double signing process may prove problematic when it goes beyond SQL query rates. There is also another concern regarding any phishing campaign permitted by effectively signing unknown content. Only by removing DKIM signatures from DNS would a DMARC domain be able to squelch a phishing attack it inadvertently authorized. TPA-Label allows authorization removal to be based on the destination domain and even a specific list-id. TPA-Label would not impact any existing DKIM signing process since authorization by destination is managed by TPA-Label zones. Regards, Douglas Otis _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
