On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:
Again, to repeat what I said at the mic:
The current, 3-step procedure is certainly an improvement, however I
understand the need for the second step, in terms of ASP
In any early discussion of this, I believe Jim said he thought it
carry-over from an earlier version of the spec where the need was
In any event, I think the current question is: What is it about ASP
opposed to concerns outside of ASP's scope -- that requires checking
Without that check, an unsigned mail from
foo(_at_)bar(_dot_)baz(_dot_)ebay(_dot_)com will be
considered to comply with ASP unless there is an ASP record for
_asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
It's difficult to publish a wildcard ASP record with standard DNS
servers. So there is no easy way to publish an ASP assertion for "my
domain and all subdomains of it". It is only possible to publish an
ASP assertion for a finite list of hostnames.
The domain existence check means that only a defined number of ASP
records need to be published (the number of hostnames you publish
would be an upper bound unless you're using wildcards anywhere else in
your DNS, in which case all bets are off).
Removing the check removes the ability for a domain owner to make an
ASP assertion about all possible subdomains of that domain. It seems
within scope for ASP.
NOTE WELL: This list operates according to