ietf-dkim
[Top] [All Lists]

[ietf-dkim] Possible issue with Parent Domain logic in SSP

2008-01-08 11:22:32
    I was rereading the validation algorithm last night and came across 
something that is either a good reason not to read these drafts at night, or a 
potential problem for some deployments. Among the companies I have worked with 
over the years it is fairly common practice to allocate a subdomain to some 
external party who manages some service for you. For example if you have 
transactional mails which you want to come from your domain but are actually 
managed by some third party who does billing for you you might point the NS 
record for billing.example.com to the third party so that they can manage the 
MX for that domain, the website, etc... 
    In reading the verification algorithm, since it assumes an SSP record is 
intended to cover not only the domain in the Originator address but also the 
parent of that domain this seems like it would create an issue for companies in 
this situation. Basically to enable these companies to create a STRICT record 
for their top level domain, they now need to be able to make assurances about 
something that is not directly in their control, specifically about a domain 
that they created with the specific intent that it be managed by someone else.

So if I am bank.com and have a significant problem with misuse of that exact 
domain and want to use SSP to help mitigate that risk but I have allocated a 
subdomain to some third part (say thirdparty.bank.com) it looks like my choices 
come down to
1) Publish SSP with dkim=unknown until thirdparty creates their own SSP record 
for thirdparty.bank.com
2) Take thirdparty.bank.com back from thirdparty and manage the DNS for 
whatever services they provide myself
3) Publish ssp with dkim=strict and let mail for thirdparty fail to be validated

I understand the operation efficiency that is created by assuming that a record 
for a parent domain covers its immediate subdomains but assuming that the 
practices of one domain apply to another seems like it may create some issues 
for the quality of those practice assertions.

Hopefully I have read this wrong or someone has a better solution than the 
three I outlined above.

Robert

_________________________________________________________________
Put your friends on the big screen with Windows Vista® + Windows Live™.
http://www.microsoft.com/windows/shop/specialoffers.mspx?ocid=TXT_TAGLM_CPC_MediaCtr_bigscreen_012008
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html