--On Wednesday, September 16, 2015 12:46 +0200 Eliot Lear
<lear@xxxxxxxxx> wrote:
>> One DNS request is about as expensive as trying a RCPT TO on
>> the mail server itself.
>
> Perhaps but you seem to think it's an either/or thing. It
> seems likely that once they're there, someone's going to try
> to get at them. We simply can't expect otherwise.
Eliot,
Thanks. And agreed.
There are other operational differences that call "about as
expensive" into question. While arrangements differ from one
provider to the next and in part because of spam and related
problems, many SMTP servers are aggressively monitored.
Rate-limiting is common as is connection filtering based on
sender address ranges and other protections. All SMTP
connections are over TCP, which facilitates the above. DNS
queries are, in my experience, typically less aggressively
monitors and filtered. The I-D recommends using TCP for
OPENPGPKEY queries, but my (admittedly poor) memory of DNS
protocol details suggests that, if one only wanted to determine
the presence of a record and didn't care about the key, a UDP
query could be used, making some of the protections that are
used by SMTP servers even more difficult.
There is also no SMTP equivalent of hiding one's DNS query by
the use of forwarders or caching servers rather than direct use
of authoritative ones.
If UDP is, in fact, possible, then the DNS query is inherently
less expensive than opening a mail transaction and also exposes
the attacker to at least slightly lower odds of detection,
identification, or blocking.
Equally important, in many organizations, the DNS servers and
SMTP ones are not operated by the same people/groups and
communication between them is often not wonderful (this has been
raised as an operational objection to the whole "keys in the
DNS" story, but, if other issues are addressed, I'm comfortable
having that be an experiment). The result is that information
about address mining via DNS may not get to the mail folks at
all or in a timely way (and vice-versa, by the way, but that
seems less important).
So "about as expensive" may not be true, especially if
effectiveness is weighed into the equation. At a minimum, the
conditions are different enough that a probe to one cannot be
equated to a probe to the other.
FWIW, some of the issues above are closely related to the
reasons I want to see the "experiment" described. If we can
anticipate possible issues, asking people to monitor for them
and report on them seems reasonable... and not doing so seems a
little irresponsible.
john