2016-11-12 On NIST Special Publication 1800-6, DNS Based Email Security
NIST has published a document on email security. I have some comments on that:
- It is perhaps not surprising that nist.gov itself has not
implemented its own recommendations regarding
DNSSEC/DANE. Although nist.gov is protected with DNSSEC, the MX
record directly points to nist-gov.mail.protection.outlook.com
which is unprotected. Perhaps NIST can convince Microsoft to add
DNSSEC/DANE records to their hosted email solution.
- Perhaps NIST can suggest to various US government regulators
that they should make DNSSEC/DANE a requirement for financial
institutions and large defense contractors. See
this for a list of some of them.
- Page 19, section 1.1, "...when DNSSEC and DANE are turned on,
mail servers experience severe service degradation or crashes due
to large numbers of retransmission attempts." I have been running
production sendmail servers with DNSSEC/DANE validation for the
last four months and have not seen this issue. It is unclear which
specific error scenario that sentence is referring to.
- Page 31, section 4.4.2.2, talks about VRFY and EXPN for dictionary
harvesting. From a log file with 170K "RCPT TO" commands, I see only
19 "VRFY" commands and not a single "EXPN" command. Those mechanisms
might have been popular long ago, but current spammers don't seem to
even try them anymore.
- Page 31, section 4.4.2.2, "In Microsoft Exchange, account
enumeration is not generally an issue. In environments other than
Microsoft Exchange, account enumeration is not generally an
issue." So it is never an issue? The only account enumeration
that I see in my logs are folks using many different machines to
each send one "RCPT TO" command.
- Page 33, section 4.4.3, "New and existing regulations are force
organizations to". Should be "forcing".
- Page 33, section 4.4.3, "Employees sending personal emails
and sifting through spam mail can cause major loss of
productivity." with a footnote "Current SPAM filtering solutions
... and DNSSEC achieves this authentication". DNSSEC does nothing
to stop spam - unless you take the step of refusing all mail from
domains that are not protected with DNSSEC. But no one can do
that, since none of GMail, Yahoo, Outlook use DNSSEC.
- Page 38, section 4.4.4.2 2.a DE.DP-4, "abort delivery of
messages from sources" should be "abort delivery of messages to
destinations". DNSSEC/DANE is all about validating the destination
mail server.
- Page 38, section 4.4.4.3 2, The RS.CO-2 text is duplicated
in both 2 and 2.a.