> On May 10, 2018, at 11:23 AM, Warren Kumari <[email protected]> wrote:
>
>> An attacker who can inject false DNS resolutions can, of course, redirect
>> either the fixed mta-sts host or insert a spoofed TXT response--but by
>> allowing the attacker to specify what hostname to use, it is more likely
>> that attacks which indirectly allow an attacker to obtain a valid cert for a
>> subdomain (as in the Tumblr or Blogspot case) can be leveraged (along with
>> DNS injection) to serve a spoofed policy for the whole domain.
>
> .. but isn't this also the case with the current solution?
Not so much.
> Unless Tumblr and Blogspot and everyone else know to reserve mta-sts, we
> have a similar issue? We've seen issues in the past where people forget to
> "reserve" hostmaster@ and hostmaster@, etc , and hilarity ensues.
The real concern is for domains that have MTA-STS policy. A forged
TXT record should not be able to redirect the policy to a different
source. If a domain has no MTA-STS policy, then a failure to reserve
the mta-sts hostname might allow someone to register that subdomain,
but that someone would still to MiTM the TXT record, and they could
instead MiTM the MX records.
So all that "mta-sts" buys them is the ability to create an extended
DoS, until the domain owner takes over "mta-sts" and publishes a new
TXT record. It's not great that the DoS could happen, but recovery
is just taking back control of the delegation.
That said, I share your concern about reserved hostnames. The only
realistic alternative is to require "example.com" rather than
"mta-sts.example.com", which limits HTTPS hosting options.
MTA-STS is a kludge to avoid DNSSEC, and some contortions and caveats
are inevitable.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
