ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] Issue #1541 - Do we need SSP record for DKIM=unknown?

2008-01-03 01:14:25
from [Hector Santos] [Permanent Link] 
I just got an automatic note from issue tracker that 1541 was added.

I would like the summarize the issue:

Initially the issue proposed to reduce the current SSP tag options:

    DKIM=strict|all|unknown

to just

    DKIM=strict|all.
The basic idea was that since DKIM-BASE already has an inherent "unknown" or optional signing behavior, it would be redundant and a waste of DNS lookups if domains added SSP records with default values which is the same as having no SSP record at all. The idea was to make SSP specifically useful only for restrictive DKIM signing operations, less complex, less options and therefore less exploitable.
However, Jim Fenton indicated that having a SSP record in all cases, including with default values, would benefit the network DNS TTL and caching issues as oppose to verifiers getting NXDOMAIN results.
So even if the DOMAIN has no specific intentions of utilizing the benefits SSP policies like strict or all, it would benefit the network when the DKIM domain adds a SSP record even if the default behavior is that of "unknown" policy. 

So probably this ISSUE #1541 is more a question if:

   Should we explicitly state in the SSP specification that
   DKIM-BASE [is highly recommended and] will benefit the DNS
   network by adding a SSP record even when the DOMAIN has no
   intention to use strict or all policies?
Jim established that having a SSP record will benefit SSP compliant verifiers. However, he also indicated that this might be more of a deployment consideration.
That might be so, however, there is no current deployment guide with SSP considerations. So unless that changes, in my view, I think it will benefit all DKIM/SSP implementators if the SSP specifications includes the recommendation of adding a SSP record regardless of default behavior. 

In addition,  since section 7 Operation Overview, states:

   Verifiers checking messages that do not have at least one valid
   Originator Signature MUST perform a Sender Signing Practices check on
   the domain specified by the Originator Address as described in
   Section 4.4.
It is more likely than not that verifiers will bare a significant overhead here when the majority of messages do not have signatures and it MUST perform a SSP discovery lookup. Therefore, DKIM signers SHOULD create a SSP record to help establish their signing policy and not leave it in an indeterminate and DNS wasteful state. 

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-dkim] Issue #1541 - Do we need SSP record for DKIM=unknown?, Hector Santos <=
Previous by Date:  Re: [ietf-dkim] Re: SSP + SPF records in DNS, Douglas Otis
Next by Date:  [ietf-dkim] New Issue: SSP Restrictive Policies Recommendation for an RFC 4871 update, Hector Santos
Previous by Thread:  [ietf-dkim] Meeting at next IETF, Stephen Farrell
Next by Thread:  [ietf-dkim] New Issue: SSP Restrictive Policies Recommendation for an RFC 4871 update, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]