Anyway, having ability to apply STS to subdomains is important to protect hostnames and domains unused for mail or non-existant. This kind of attack is possible:
Bob has this DNS (quite typical) records for example.org zone: @ MX 10 mx1 mx1 A 10.1.1.1 and additional STS records: policy.mta-sts A 10.1.1.2 _mta_sts TXT "v=STS1 id=42" Alice has active MitM for Bob's MX. 1. Alice makes certificate request for mx1.example.org to any public CA choosing [email protected] as a validation address Because Bob does not expect any mail to be received for @mx1.example.org, he has no separate STS policy for this domain. 'A' record is enougth to receive mail for @mx1.example.org. 2. Alice hijacks validation e-mail for [email protected] and confirms certificate. Now she has valid certificate for mx1.example.org 3. Now, Alice can intercept any mail for example.org despite of STS Having STS applied to subdomains, allows certificate authorities to pre-load / pre-cache SMTP STS policies for SMTP STS preloaded domains / HSTS preloaded domains / domains with issued certificates / top-1000000 domains / etc to mitigate attack. Viktor Dukhovni пишет: >> On May 14, 2016, at 2:30 AM, Gihan Dias <[email protected]> wrote: >> >> Is it an *atypical* DNS name, or an *invalid* DNS name? > It is completely valid, just not a valid hostname. DNS supports > arbitrary binary data in record owner labels. In any case, since > this does not do what the OP wanted from it, further dissection of > this is moot. I should have followed up with a technically correct, > but irrelevant correction. Sorry about that. > -- Vladimir Dubrovin @Mail.Ru _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
