To better ensure the minimum number of DNS transactions occur while
processing DNS SSP and key TXT records, especially for domains that do
not implement email, the SSP draft should mandate publishing MX
records whenever an SSP record is also published. Since the SSP
discovery process makes use of MX record queries to determine whether
the domain exists, then when an SSP record is returned for a domain
that has not published an MX record, this thereby signals that both
email and DKIM are NOT used for email addresses at this domain. This
strategy affords a better cache hit rate during the SSP discovery
process, the detection of fraudulent uses of the domain, and a means
to protect second level domains.
Per the draft, an NXDOMAIN reply for an Author domain lookup already
terminates the SSP algorithm with "failure". This is good enough.
DKIM and SSP are not appropriate vehicles for making other records
mandatory where now they are not.
When the SSP record is returned without there also being
an MX record at the Author Domain, the signature SHOULD BE considered
fraudulent without further DNS transactions being attempted.
I oppose the re-introduction of "suspicious", "fraudulent", etc.
Those are overly-specific interpretations of failures that will
more often than not have non-malicious causes.
NOTE WELL: This list operates according to