This issue encompasses some others, but I believe it is more basic and
informs the others and therefore needs to be resolved separately:
There is a basic difference between trying to protect a single domain name,
versus trying to protect an entire sub-tree.
1. The DNS was not designed with sub-tree operators. The wildcard mechanism
a very narrowly-defined capability and is useless in the face of
underscore-based naming, since the underscore node really defines an attribute
of the domain name it is under, rather than defining a true "name".
What this leaves us with is attempting to invent mechanisms that turn out
to do only a partial job, at best.
2. Some of the sub-tree effort is for administrative convenience. Some is for
It's not clear that the specification is clear about this distinction.
It is not clear that the specification is clear about the motivations that
make it mandatory to add sub-tree mechanisms to the specification.
3. At least one of the sub-tree mechanisms is attempting to glean information
from the absence of publisher action. Let me explain:
I believe the desire with checking the A record is similar to the idea
behind having ADSP in the first space.
a) DKIM is for declaring the presence of an accountable identity. If
signature is present, you know something. If it is absent, you know nothing
b) ADSP attempts to tell you something, in the absence of a signature.
It does that by defining something else that must be present. If the ADSP
record is present, you know something. If it is absent, you know nothing extra.
c) Checking for the presence of an A record is intended to try tell
something in the absence of an explicit action by the domain owner. That's
flaw: It is intuiting ADSP information from non-ADSP action.
While there is nothing wrong with checking the A record, it's semantics
have literally nothing (directly) to do with ADSP.
All of the above is of course implies some specific actions, but for this note,
my real goal is to get much more explicit discussion and consensus about the
difference between protecting a single domain name, versus protecting a tree of
names, and to get consensus about each of these as separable goals.
NOTE WELL: This list operates according to