Stephen Farrell wrote: > >> I remember talking about this a long time ago with Jim as a potential >> attack. While it remains so, a TLD operator can even more easily >> change your NS records too. So, really, the integrity of the DNS is >> hinged on TLD operators not doing such evil things. As such, I don't >> think DKIM's vulnerability is any greater than, say, the NS record >> for bankofamerica.com, right? > > I think that that's correct. But this is a different threat, so we > should note it at least. Agreed.
If the problem were limited to TLDs, then we would be able to simply say that the d= in a signature MUST NOT be a TLD. But the problem isn't just TLDs, but any parent domain, e.g., co.uk, ca.us, k12.ca.us, etc. In response to some other comments, this isn't a DNS vulnerability. DNS could be perfectly secure and we would have this problem; it derives from the fact that DKIM allows parent domains to sign for their children. So it belongs in the DKIM threats document. I would probably rate it as a high impact (affects entire domains) but low likelihood (one has to be the owner of a higher-level domain, and most of them can probably be trusted not to do this) threat. -Jim _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
