william(at)elan.net wrote:
On Wed, 6 Sep 2006, Jim Fenton wrote:
The tree-walking issue (separate from the user-level SSP) issue has
concerned me too. The allman-dkim-ssp-02 draft has it down to 2 queries
-- much improved from the previous revision, in part because of the use
of a separate RR.
Are you sure there is a limit? I distinctly remember a paragraph from
your draft that says that in case of NODATA the verifier needs to
walk down the tree until it reaches root.
Check draft-allman-dkim-ssp-02; the algorithm has changed substantially
in this revision.
Also while I think separate RR is right way to go, I have to note
that since you want to already use TXT for public key, you might
as well (ab)use it for these policy records too - otherwise you'd
cause difference in adoption rates for those wanting to use
signatures and those who want to use policy, making using police.
And personally I think public key is the one that a lot more
belongs into being separate RR (binary CERT preferably) though
in reality you should just avoid putting large public key records
in dns all together as it brings further abuse and problems for
caching name servers that can be avoided otherwise.
Of course the use of a separate RR will require (probably lots of)
further discussion, but I see the considerations relative to the IAB DNS
considerations draft (draft-iab-dns-choices-03) as being rather
different. In the case of key records, we know exactly where to look
using the selector and domain name, and the record is either there or it
isn't. The use of a prefix doesn't hinder that at all. In the case of
SSP, you can do the same thing with TXT records and a prefix, but it
requires additional queries to distinguish the nonexistent domain case
from the nonexistent policy record case. That is an argument in favor
of use of a separate RR, but we'll see what the consensus is.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html