On Feb 12, 2008, at 7:23 AM, Wietse Venema wrote:
To better ensure the minimum number of DNS transactions occur while
processing DNS SSP and key TXT records, especially for domains that
do not implement email, the SSP draft should mandate publishing MX
records whenever an SSP record is also published. Since the SSP
discovery process makes use of MX record queries to determine
whether the domain exists, then when an SSP record is returned for
a domain that has not published an MX record, this thereby signals
that both email and DKIM are NOT used for email addresses at this
domain. This strategy affords a better cache hit rate during the
SSP discovery process, the detection of fraudulent uses of the
domain, and a means to protect second level domains.
Per the draft, an NXDOMAIN reply for an Author domain lookup already
terminates the SSP algorithm with "failure". This is good enough.
DKIM and SSP are not appropriate vehicles for making other records
mandatory where now they are not.
SSP already suggests querying MX records to facilitate discovery.
(Even though an MX record does not need to be published.) What
prevents SSP making the publication of this record mandatory? Is
there any valid reason for a domain that implements DKIM not to also
publish an MX record? This record is _essential_ for truncating all
sorts of policy discoveries that might become associated with the
introduction of DKIM.
When a domain does exist, there is currently no means for the domain
owner to truncate a policy discovery processes walking up to the next
domain and then requesting any number of key records. In addition,
there is also no positive means for this domain owner to disavow
messages inducing undesired policy and DKIM transactions to prevent
these additional transactions. Without this convention, there will be
two or more transactions that this convention could prevent,
significantly transactions at parent domains. In addition, this
convention also makes it explicit any message related to this domain
has been disavowed by this convention. Juice worth the squeezing. : )
When the SSP record is returned without there also being an MX
record at the Author Domain, the signature SHOULD BE considered
fraudulent without further DNS transactions being attempted.
I oppose the re-introduction of "suspicious", "fraudulent", etc.
Those are overly-specific interpretations of failures that will more
often than not have non-malicious causes.
Agreed. However, having an SSP record while not having an MX record
seems like a rare failure mode. Perhaps the message result could be
called "disavowed" or "unsupported". The important aspect of the
definition is to avoid there being any implied message handling
without knowing the reliability of this convention.
NOTE WELL: This list operates according to