ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] question on _domainkey prefix to DNS query (and record)

2006-04-24 10:14:00

On Apr 24, 2006, at 5:28 AM, Amir Herzberg wrote:

A small, interesting difference between SPF and DKIM is in the DNS query. In SPF, the query is to the specific domain (typically from MAIL FROM), e.g. cs.biu.ac.il (for me). In DKIM, the query is to _domainkey.cs.biu.ac.il. Both SPF and DKIM plan to role out their own DNS record but for the time being will mostly use the TXT record.

I think there are reasons for each choice, and would appreciate feedback as to whether these are the real and only reasons.

The name location is <selector>._domainkey.<example.com>. With a possibly large key size, it is vital the location of the key RR be isolated by name. In addition, there there are also any number of keys per domain.


The benefit to the DKIM design is that it avoids overloading the `main` TXT record for the domain, e.g. cs.biu.ac.il. Namely, if this domain wanted to use both DKIM and SPF (and maybe other TXT records for other purposes), then it may end up with too many TXT records returned to the query for the domain (cs.biu.ac.il) and the `right` record may not reach the requestor. Right?

UDP could not be expected to service such requests without name separation, even with increased response sizes enabled by both the client and server.


The benefit to the SPF design is that it allows placing of the record higher up in the DNS tree. Namely, by _not_ including a TXT record for cs.biu.ac.il, a query may bring the TXT record for biu.ac.il; so if entire BIU wants to have a single SPF record at biu.ac.il, this is easier. Right?

It is hard to determine a benefit related to SPF owing to the scale of the possible answer. See:

http://www.ietf.org/internet-drafts/draft-otis-spf-dos-exploit-00.txt

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>