On Sep 19, 2006, at 3:00 PM, Frank Ellermann wrote:
RFC4408 enables various DDoS and DNS poisoning attacks as
previously described.
That's about as relevevant as the mail arriving with 25 DKIM
signatures (one valid), after you got a million you'd figure out
how to disable DKIM verification temporarily.
With DKIM, it should be normal to limit transactions per signing
domain. This would be especially true when done in conjunction with
annotations. With RFC4406-8, validating a set of identities may not
provide any attack indication. A victim domain may not be related to
the recipient or even the identity being validated or seen in any
log. The associated amplification potential can involve any number
of identities. This gets more extreme when receivers decide RFC4408
can also include a DKIM scope. Even now, the potential for this
problem dwarfs amplifications available with open recursive reflected
attacks done in conjunction with EDNS0, and this also defeats normal
precautions found with BCP38!
based upon just the "fail" as commonly required to avoid delivery
issues, less than 3% of spam is blocked.
Not too shabby. The idea is to get this to almost 0%, because no
bad actor tries it anymore.
There are still a number of "pass" results as well? For example,
Bell Canada records ends with "+all". It seems that when no spam is
blocked by SPF, while also placing DNS in extreme peril, the reason
for employing this mechanism has been greatly diminished. A DKIM/
Mail-From policy association should provide the desired DSN
protections without imposing these risks. This is one reason why
DKIM policy should consider records for the 2821.Mail_From and
perhaps even 2821.EHLO to remove any need for RFC4408. Name paths
are far safer than IP address path definitions. Heck, the PRA could
still be used for that matter.
You probably also get a few "pass", for those you don't need to
worry about DSNs, they're desired. The 90% in between are not
worse as before. And as others said, any scheme is futile if
receivers don't like it, they must get something for their effort.
It's sad that DKIM and SSP don't fit into the SIQ concept (or
rather I don't see how), that could be a killer application.
Safe MUA annotation of retained email-addresses preventing even look-
alike spoofing and safe DSN protections seems to be a possible answer.
violating proprietary algorithms
That was the other beast, SID and 2822. For the PRA part I'd still
say that 2822 is prior art. Given a 2822 header minus Return-Path
it's "obvious": Noting that in RFC 4407 was an excellent idea, but
it's neither proprietary nor experimental. Unless ignoring the
Return-Path is the "experiment"... :-)
By adding a parameter such as m=<any-email-address> to DKIM, there
would never be a need to employ priority algorithms, as the signature
could always make this selection explicit.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
