On Apr 24, 2006, at 5:28 AM, Amir Herzberg wrote:
A small, interesting difference between SPF and DKIM is in the DNS
query. In SPF, the query is to the specific domain (typically from
MAIL FROM), e.g. cs.biu.ac.il (for me). In DKIM, the query is to
_domainkey.cs.biu.ac.il. Both SPF and DKIM plan to role out their
own DNS record but for the time being will mostly use the TXT record.
I think there are reasons for each choice, and would appreciate
feedback as to whether these are the real and only reasons.
The name location is <selector>._domainkey.<example.com>. With a
possibly large key size, it is vital the location of the key RR be
isolated by name. In addition, there there are also any number of
keys per domain.
The benefit to the DKIM design is that it avoids overloading the
`main` TXT record for the domain, e.g. cs.biu.ac.il. Namely, if
this domain wanted to use both DKIM and SPF (and maybe other TXT
records for other purposes), then it may end up with too many TXT
records returned to the query for the domain (cs.biu.ac.il) and the
`right` record may not reach the requestor. Right?
UDP could not be expected to service such requests without name
separation, even with increased response sizes enabled by both the
client and server.
The benefit to the SPF design is that it allows placing of the
record higher up in the DNS tree. Namely, by _not_ including a TXT
record for cs.biu.ac.il, a query may bring the TXT record for
biu.ac.il; so if entire BIU wants to have a single SPF record at
biu.ac.il, this is easier. Right?
It is hard to determine a benefit related to SPF owing to the scale
of the possible answer. See:
http://www.ietf.org/internet-drafts/draft-otis-spf-dos-exploit-00.txt
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html