william(at)elan.net wrote: > > On Mon, 27 Feb 2006, Jim Fenton wrote: > >>> Getting back to this group work - you are expecting to introduce large >>> DNS records as a mainstream for many dns servers. This would make such >>> servers a great target for use in amplification attacks even if those >>> servers are not configured to do recursion. This is bad and potential >>> for such an attack and abuse for anyone using DKIM must be documented >>> and it must be made clear that servers with DKIM records may become >>> targets for use in DNS amplification attacks. In fact the larger the >>> record you put in dns, the better target for such an attack it becomes! >> If we were to include this in the threat document, it would need to go >> into a new category because it's not a threat to the signature mechanism >> nor to SSP, but rather an attack on DNS that might be facilitated by >> DKIM. I'm not sure whether this is in-scope for the threat document or >> not, but it would be an expansion of its current scope to include it. > > It is definitely something that people considering DKIM should be > aware of so it should be in threats documents and if you think you > need new category - do it. Part of this problem is directly threat to > DKIM (as opposed to threat because of DKIM) as such abuse of DKIM > public key records would result in denial of service attack on dns > server serving the records and thus denial of service on DKIM > verification process. But this is rather one of the after-effects then > a source of the problem. That's one vote in favor of including this sort of threat in the threats document. Other opinions?
-Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
