On Sep 27, 2007, at 1:36 PM, John C Klensin wrote:
[In so many words, I said deprecating A and AAAA records for SMTP
discovery would allows email policy records be limited to MX record
locations.]
I think you have the cart and horse turned around backward. If
(and I'm not going to express an opinion at this point), one really
needs MX records if DKIM (and its near and distant header-signing
relatives) are to be supported in a reasonable and efficient way,
then it would be perfectly sensible to impose that requirement on
DKIM users. In other words, one makes provision, in the DKIM
specs, that,
(i) if one is going to insert DKIM header records, one
MUST have MX records for the appropriate hosts.
Email policy records are published to cover cases for when some added
email requirement is _not_ met. Email policy records pose a degree
of risk and added overhead when they must be separately discovered.
It would be much safer to limit a discovery process to that of MX
records. Several possible policy discoveries can thereby be
eliminated by mandating use of MX records for the discovery of all
public (port 25) SMTP servers. Any desired policy would then be
adjacent to discovery (MX) record. This scheme could work with many
other protocols.
(ii) if one encounters DKIM header records, does an MX
lookup, and does not get one or more MX records back,
then one SHOULD just give up and treat the DKIM records
as trash (whatever that happens to imply).
Woe! Turn the cart around. Policy is needed when additional
requirements are desired. A DKIM header is better confirmed with the
offered key. Not having a DKIM header is when policy is needed.
This makes the "mandatory MX" issue a DKIM (and friends) issue, not
a requirement that zillions of hosts that do "MX, then address"
lookups consistent with 2821 (and 1123, and...) change what they
are doing because of some proposed words in 2821bis that change a
20-odd-year-old spec. Won't happen, whether 2821bis is changed or
not.
Email is faltering under an ever increasing onslaught of organized
abuse often using forged domains. 2821bis is proposing a change
where now AAAA records are to be allowed for discovery. This change
adds to the overhead related to discerning valid email domains for
little other benefit.
Perhaps soon messages from domains lacking MX records will be
refused. Even DSNs are being dropped. Times have changed. It is
far less expensive and much safer to not wonder whether an address
record might locate an SMTP server. 20 years ago an address record
at an email domain was much more likely to point to an SMTP server.
This is no longer a safe assumption.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html