Jim Fenton wrote:
The next revision of that draft, although not finalized, will probably
do things differently. It will check both for the existence of the SSP
record and for the existence of the domain. If the domain exists but
the SSP record doesn't, then it will search up only one level.
And if nothing is found in those two levels, that's a way for spammers to
forge spam.
DKIM provides protection for a domain, as well as assurance to recipients.
If BigU.edu wants to have a global policy that it's email is all protected,
this shouldn't be screwed up by incompetent or disgruntled underlings three
layers down. It shouldn't be screwed up by unpredictable wildcard matching
in DNS servers. It shouldn't require that every single host in BigU.edu
have a policy attached to it, given that in a BigU.edu environment with
30,000 hosts, this is nearly impossible to pull off.
The real problem here is that conceptually, policy should always always
always come from the top. If the top-level policy wants to say that
sub-domains can set their own policy, that's fine, but it should be part
of the policy structure. If a top-level policy wants to say that
sub-domains can NOT set their own policy, DKIM should give them that
power - without dictating how freely they manage administration of
subdomain DNS.
That's not really the way that things work with DNS. Anyone that
administers a subdomain can publish an MX record and receive mail for
that subdomain. There isn't any parent-domain restriction that can be
imposed. Similarly, we aren't imposing parent-domain restrictions on
the SSP that a subdomain can publish.
But an MX record is a description of infrastructure, not policy.
The MX and the policy can both be stored and distributed in the
same way, via DNS, but there's no reason to require that they be
used in the same way. And note that I'm not imposing any restrictions
on what's published either, only on how the information is honored.
The fact that anyone who admins a subdomain can publish what they
want is EXACTLY why policy should NOT be examined bottom-up. It
makes global policy massively more difficult to implement, and in the
long run, global policy is what most big sites are going to migrate
towards. My approach would make it easier (or simply possible)
to protect an entire domain, without making it any harder to provide
flexibility to subdomains for sites that want that.
This is an interesting and flexible idea, but somewhat outside our
threat envelope. Subdomains can publish DKIM keys. Why shouldn't they
always be able to publish SSP?
Not for us to say. It's for them to say. Why should BigU.edu have to
constantly worry about the flawlessness of their entire DNS structure
which is administered by 300 different sysadmins of wildly varying
abilities?
Effectively, anything but a top-down approach is dictating to BigU.edu
that either 1. they can't dictate policy to their own subdomains, or
2. if they want to dictate that policy, they're required to undertake
a massive restructuring of DNS management that's likely to remove most
of the control that the lower level sysadmins currently have.
And DKIM shouldn't force BigU.edu into that corner.
tom
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html