> william(at)elan.net wrote: >> >> On Mon, 27 Feb 2006, Jim Fenton wrote: >> >>>> Getting back to this group work - you are expecting to introduce large >>>> DNS records as a mainstream for many dns servers. This would make such >>>> servers a great target for use in amplification attacks even if those >>>> servers are not configured to do recursion. This is bad and potential >>>> for such an attack and abuse for anyone using DKIM must be documented >>>> and it must be made clear that servers with DKIM records may become >>>> targets for use in DNS amplification attacks. In fact the larger the >>>> record you put in dns, the better target for such an attack it >>>> becomes! >>> If we were to include this in the threat document, it would need to go >>> into a new category because it's not a threat to the signature >>> mechanism >>> nor to SSP, but rather an attack on DNS that might be facilitated by >>> DKIM. I'm not sure whether this is in-scope for the threat document or >>> not, but it would be an expansion of its current scope to include it. >> >> It is definitely something that people considering DKIM should be >> aware of so it should be in threats documents and if you think you >> need new category - do it. Part of this problem is directly threat to >> DKIM (as opposed to threat because of DKIM) as such abuse of DKIM >> public key records would result in denial of service attack on dns >> server serving the records and thus denial of service on DKIM >> verification process. But this is rather one of the after-effects then >> a source of the problem. > That's one vote in favor of including this sort of threat in the threats > document. Other opinions?
Including this sounds reasonable. It'd sound even more reasonable if someone wrote it up in a paragraph suited for inclusion in the document. Stephen. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
