----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
To: "Thomas A. Fine" <fine(_at_)head(_dot_)cfa(_dot_)harvard(_dot_)edu>
If the policy says no overrides, then whatever policy you
find, you're> done, and you don't have to look up any more.
If there's no policy, you assume a default of override-depth=1
(or at most 2), and walk down one step. If no policy is found
there, then you're done, and policy is null.
This is an interesting and flexible idea, but somewhat outside
our threat envelope. Subdomains can publish DKIM keys. Why
shouldn't they always be able to publish SSP?
+1
However, Mr. Fine re-raises a good point that I have on regarding
optimization. Why should a large company with many sub-domains be force to
create a policy for each sub-domain when one or more can cover many?
I guess perhaps future DNS servers would be able to cater to this better by
merging records for specific query keys.
I punt the DNS gods on this one :-)
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html