On Jun 9, 2007, at 9:36 AM, Jeff Macdonald wrote:
On Sat, Jun 09, 2007 at 07:51:51AM -0700, Douglas Otis wrote:
The discovery process itself might provide a solution. For a
message to contain a valid email-address, the domain of this
address MUST locate either an MX or A record. The DKIM WG could
strongly recommend A record discovery be deprecated, and that only
MX records be used for discovery. Within a few years, it should
be possible to obsolete use of A record discovery. An email-
address would not be valid without an MX record. This would mean
that policy placement adjacent to the MX record would be the only
location any policy record would need to exist. In this case, the
discovery process itself indicates whether or not the sub-domain
is USED/UNUSED.
Are you referring to the process that some MTAs follow? For
example, if a MTA needs to deliver a message, it is suppose to find
a MX for the right hand side of the email address and deliver it to
the eventual A record (Hector's claim that some MX records return
IPs confused me). Some MTAs, when they don't find an MX record,
just lookup an A record instead and deliver to the resulting IP.
If that's the case, shouldn't the deprecating of A lookups when a
MX lookup fails be brought to the SMTP group?
This depend upon how the DKIM WG decides to handle policy discovery.
It seems unreasonable to expect receiving MTAs adopt a strategy of
searching all labels (below the TLD) in hopes of finding a policy
record that might exist in some small percentage of cases. This
would also hammer SLDs, such as co.uk. (A registry list might help
mitigate the harm.)
It also seems unreasonable to expect sending domains to publish a
policy record at _every_ DNS node as needed to support use of
wildcard records. This would be especially true when the policy can
only indicate whether a message is expected to be signed. To improve
handling of signature failures (common with DKIM) not providing a
indication as to whether the domain itself should be considered valid
makes this even more _unreasonable_!
Phillip's discovery concept justified publishing XPTR records at
every node by having them indicating a principal domain to be used
for policies of all types! Yikes! Reliance upon wildcards is _not_
welcomed by DNS groups, as these records are increasingly utilized to
stage DDoS attacks and can be problematic in other ways. Although
answers for wildcard records are cached, when dealing with random
labels, the cache itself becomes flooded without any outward
indication of an attack occuring. The maximum domain name size in
conjunction with the pointer returned is also likely to approach or
perhaps exceed the maximum DNS message size permitted.
On the other hand, if the DKIM WG were to recommend that "proof of
use" be confirmed before accepting a message, then signature
validation and policy would be expected only at domains with records
that offer "proof of use." To greatly simplify this process, A
record discovery should be deprecated and then obsoleted ASAP. This
would of course need to be done by a different WG.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html