On Tue, 2006-11-14 at 10:33 +0000, Andras Salamon wrote: > On Mon, Nov 13, 2006 at 10:15:07PM -0800, Douglas Otis wrote: > > There is a general threat to DNS created by an experimental email > > script contained within DNS records. > > As far as I understand, the attack vector relies on some process > outside the DNS retrieving, interpreting and acting on records > contained in the DNS. Is this correct?
Yes. > If so, my feeling is the SPF folks should revise their protocol. > Perhaps it isn't altogether a good idea to make protocols general > enough to be near-Turing-complete for the sake of data compression. The SPF script language does not improve data compression. APL RR (RFC3123) provides 10 times the informational density and existed prior to SPF development. Parameters added as arguments to this script necessitate repeated execution, even when resolving from the same domain. State-full processing of many scripted transactions also likely leads to common multiplexing ports. Execution of DNS related script from unknown entities represents a breach in network security. > However, please clarify why a DNS working group should take > responsibility for fixing the semantics of data people choose to > put into the DNS. People bringing down parts of the DNS through > DOS attacks is hardly new. Storing the semantics of the attack > into the DNS itself is cute but hardly a cause for action by a DNS > working group. > > Finally, if such a protocol (experimental, right?) were to start being > deployed, it would likely destroy its own ecology, so I don't see it > lasting long in an environment of cautious network operators. Although SPF is experimental, it is being heavily promoted for use with Sender-ID. SPF is at about 30% adoption by the largest corporations which represents 10 times the typical level of adoption! Running with the big dogs, few seem to notice the RFC is experimental, nor is this mentioned in promotional material. This script can be aimed at poisoning DNS, as the language can repeatedly query resources of various record types while flash flooding authoritative DNS. Scripted execution may happen at MTAs and at the desktop of email recipients. DNS is at risk, but attacks can be highly targeted and devastating. Being highly targeted, this retains the ecology providing the attack vector. It is fallacious to suggest the network is protected by the self interests of the bad actor. -Doug . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
