[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC - Signature Only vs the MX/A issue.

To: namedroppers@ops.ietf.org
Subject: DNSSEC - Signature Only vs the MX/A issue.
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Sun, 26 Nov 2006 22:26:55 -0500
Delivery-date: Mon, 27 Nov 2006 03:55:40 +0000
Envelope-to: namedroppers-data@psg.com

Rob Austein brought up one of the few issues that I hadn't previouslyconsidered.

His question - In the signature only model, what happens if anattacker does a deletion attack on the MX record at a label forcingthe MTA to fall back to looking up the "A" record?

In PNE, this isn't an issue as you can determine whether or not theMX record actually existed.

There's a couple of things that should be said here. The MX/Afallback was simply a hack to deal with the early days of theinternet and the transition from host table to DNS. Most emailaccounts were tied to machines on which people had accounts. The PCas an internet node was still quite a few years away. The host tablemodel (prior to DNS) basically mapped stjohns@umd5.umd.edu to emailon umd5.umd.edu and used the IP address in the host table as thedelivery address. Most MTAs at that point had no concept of MXrecords nor did the admins of the various subnets. When DNS cameout, most MTAs still queried only for A records, but eventuallystarted querying for MX records. At this point in time, I'd besurprised if there are more than a very few MTAs that don't lead withMX queries. Anyone have data on any MTAs that don't lead with MX records.

Of course, there may also be zones (or names within zones) that hostMTAs, but that don't also have MX records - anyone have data on this?

I chatted briefly with John Klensin about deprecating this MX/Aalternate in the next revision to RFC2821 - comments on whether thisis a reasonable approach?

Going forward, if an MTA is adapted to use SO, it may be a reasonablepolicy to require MX records for a "validated" result. If an MXrecord doesn't exist, or if its unsigned, then the output of thevalidator would be "unvalidated" regardless of any validation on the"A" alternate and the MTA would take whatever action is appropriatefor any unvalidated response. The guidance to use MX records wouldadded to the general guidance for anyone managing an SO zone.



Any other ideas in this general topic?

Mike




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: DNSSEC - Application use of Provable non-existence
Next by Date: Re: DNSSEC - Intermediate Validation - Good or bad idea?
Previous by thread: DNSSEC - Application use of Provable non-existence
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread