Michael Thomas wrote: > I remember talking about this a long time ago with Jim as a potential > attack. While it remains so, a TLD operator can even more easily > change your NS records too. So, really, the integrity of the DNS is > hinged on TLD operators not doing such evil things. As such, I don't > think DKIM's vulnerability is any greater than, say, the NS record > for bankofamerica.com, right?
I doubt that many nameserver implementations are querying Verisign's nameservers for bankofamerica.com's A record directly, but rather for the NS record. Even with that being the case, they could redirect the NS request somewhere evil, the impact there is obvious breakage. In the DKIM case, however, Verisign is able to quietly purport to be bankofamerica.com without breaking anything in place (as they would if they attempted to clobber our own _domainkey RRs, or redirect DNS lookups elsewhere via rogue NS records). Note, lest anyone get any funny ideas, that I don't actually think Verisign would attempt this, and I'm not concerned for my personal welfare as I doubly doubt they'd attempt it on a high-visibility target. I just find them useful examples. You may substitute example.cn if you prefer. -- Mike _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
