ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Expiration Tag (x=) is required to minimize DNSlookups.

2006-04-18 10:59:45

----- Original Message -----
From: "Steve Atkins" <steve(_at_)blighty(_dot_)com>


But it still an optimization concept:

     - No need to DNS lookup, regardless of TTL state.

Yes. DNS is cheap, and NXDOMAIN is cached, though. How often, in
practice, do you think that even an MUA, let alone an MTA, will be
seeing a significant fraction of expired signatures?

But are we ready to presume it is foregone that this will be low?  Low or
high, I still don't think it substracts from the optimization consideration
based on the current semantics of the protocol.

What are saying anyway?  That a DNS lookup should always be done anyway,
therefore a x=tag or any other short-circuiting concept that would provide
the same optimozed result is not required?

A side nit: We have no 100% reliable conclusion that all verifying sites
will have the same 100% reliable DNS operations.

     - No need to do any SHA256 Hashing on a potential HUGE payload.

If the public key has expired from DNS, then you wouldn't be
doing that anyway, would you? (If your MTA were ill-designed
enough to do that it would also be doing so for the significantly
larger fraction of email that has falsified DKIM headers, which would
seem a much bigger problem.)

I think this all depends on the semantics and what time x= points too in the
cycle of key life and in combination with TTL, who know what chaotic timing
and caching issue we are dealing with.

But yes, you are correct, The current semantic for making a key invalid if
when the key p= tag is empty or a NXDOMAIN and in this case, there is no
hashing overhead.  Also keep in mind that this (NXDOMAIN) means with Section
6.2 Step 2.

This is clearly an optimization any good engineer will see.

I don't really care one way or the other, but describing this
feature as "clearly an optimization" seems to overstate the case.

Probably. But it also depends on what a verifier is experiencing and I am
for using our insights to make this an efficient system without changing the
end results.   The concept is clearly an optimization because the results
are not changed.  It is clear step to removing any additional processing or
consideration required.

I am not disagreeing that it net effect is major. By no means, but if you
don't have to do an DNS lookup, and the specs has an implicit semantics to
this effort, and the end results are the same whether you do or not, then
why enforce it?

Thanks

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html