that any reasonable "outsider" will look at a spec that doesn't allow
him to specify in one step (rather than hopefully-correctly attached to
every single zone entry now and through all future changes) "Acme Corp's
email is ALL signed, or it's not ours" and wonder what the spec authors
Huh? The DNS doesn't provide any way to do anything to an entire zone
other than AXFR.
The only way to cover an entire zone with ADSP is to create an ADSP
tree parallel to all of the names in the zone, i.e. for every
foo.bar.example.com put in a _adsp._domainkey.foo.bar.example.com. If
the existing tree has any wildcards, you can't do it. The current
version of ADSP has a one level tree walk that modestly decreases the
number of records you have to add, in exchange for making every ADSP
lookup more complicated.
The question that I haven't seen addressed directly is why it's so
important to provide ADSP for domains that don't exist. Doing a DNS
lookup to see if the domain in a putative sending address exists has
been a useful anti-spam trick for a long time, far predating DKIM.
Mail filters often do that even though they don't check DKIM and don't
check ADSP. So what's the point of importing it into ADSP?
My strong preference would be to take out all of the tree walking and
existence checking, and replace it with a note pointing out that ADSP
only applies to domains that exist.
NOTE WELL: This list operates according to