ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Issue #1534: Applying SSP to sub-domains does not work

2007-12-16 09:32:20


Jim Fenton wrote:
To the extent that the above is not sufficiently clear:

There is not way to properly enforce or even discover the semantics of
this flag, in the general case of sub-domains.  This option needs to
removed or be specified in a way that works.

This does not address the wildcard issue.

(Has the s flag been vetted with DNS experts?)


The parent-domain checking is done primarily to ease SSP deployment for
domains having large numbers of hostnames.  Without this feature, a
domain needs to publish an SSP record for every label in the domain, so
that it's not possible to trivially bypass SSP by using a hostname as
the domain part of a From address.

Since a sufficiently nested sub-domain will still permit bypassing SSP, the s flag gives the appearance of extra protection but not the fact of it.


This mechanism does not address deeply-nested From domains.  Either such
domains really do exist (in which case they need SSP records), or they
do not (in which case the domain query will return NXDOMAIN), or there's
a wildcard, in which case a deeply-nested address will probably just
look non-Suspicious.

If this is acceptable for deeply nested domains, why isn't it acceptable for shallow-nested ones?


d/
--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html