> Well, here's one: DKIM often runs during the incoming SMTP conversation > with its inherent timeouts. Can attackers exploit that fact? What should a > developer do to minimize risk?
Can you elaborate on how CNAME in particular comes into play here? If the SMTP server does any DNS queries at all, whether that be for DKIM, reverse mapping, RBLs, PKIX servers or any other modern-day goop, then those queries can easily have CNAMEs in the chain. Even just following the NS tree down to the authoritative server for the d= domain in question can easily have CNAMEs that a client/cache already follows today. The only question can be, does a CNAME immediately prior to the final TXT/DKK RR add a threat that is different from CNAMEs encountered earlier in the lookup process. Mark. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
