ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages

2008-02-11 20:29:22
from [Douglas Otis] [Permanent Link]
To better ensure the minimum number of DNS transactions occur while processing DNS SSP and key TXT records, especially for domains that do not implement email, the SSP draft should mandate publishing MX records whenever an SSP record is also published. Since the SSP discovery process makes use of MX record queries to determine whether the domain exists, then when an SSP record is returned for a domain that has not published an MX record, this thereby signals that both email and DKIM are NOT used for email addresses at this domain. This strategy affords a better cache hit rate during the SSP discovery process, the detection of fraudulent uses of the domain, and a means to protect second level domains. 


3.2.2. SSP Lookup Algorithm

4th & 6th Sentence Was:

For the purposes of this section a "valid SSP record" is one that is
both syntactically and semantically correct; in particular, it must
match the ABNF for a "tag-list" and must include a defined "dkim=" tag.

This query MAY be done in parallel with the query made in step 2.

If the result of this query is an "NXDOMAIN" error, the SSP Checker
MUST return an appropriate error to the Evaluator and terminate the
algorithm.

4th & 6th Sentence Change to:

For the purposes of this section a "valid SSP record" is one that is
both syntactically and semantically correct; in particular, it must
match the ABNF for a "tag-list", and MUST include a defined "dkim=" tag
and MUST be accompanied by an MX record at the Author Domain.

This query MAY be done in parallel with the query made in step 2.

If the result of this query is an "NXDOMAIN" error, the SSP Checker
MUST return an appropriate error to the Evaluator and terminate the
algorithm.  When the SSP record is returned without there also being
an MX record at the Author Domain, the signature SHOULD BE considered
fraudulent without further DNS transactions being attempted.

Item 2 Was:

2.  _Verify Domain Exists._ The SSP Checker MUST perform a DNS query
 for a record corresponding to the Author Domain (with no prefix).
 The type of the query can be of any type, since this step is only
 to determine if the domain itself exists in DNS.

Item 2 Change to:

2.  _Verify Domain Exists._ The SSP Checker MUST perform a DNS query
 for a record corresponding to the Author Domain (with no prefix).
 The type of the query SHOULD BE for an MX record.  This step can
 depend upon other record types as the response is only to determine
 whether the domain itself exists in DNS.

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] ISSUE: SSP-02:Author Signature scope too narrow (Updates ISSUE 1519), Douglas Otis
Next by Date:  Re: [ietf-dkim] ISSUE: SSP-02: Discardable inappropriately specifies possible verifier action, Hector Santos
Previous by Thread:  [ietf-dkim] ISSUE: SSP-02:Author Signature scope too narrow (Updates ISSUE 1519), Douglas Otis
Next by Thread:  Re: [ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]