Dave Crocker wrote:
G'day,
While reviewing the posts in response to the iab draft, I am finding myself
unclear about the reasons for Step 2, of the query procedure in ASP's Section
4.2.2. I'm pretty sure this is not merely a caffeine-deficiency-based
question...
What is the functional or security reason for verifying that the domain
exists, in terms of ASP.
I can imagine obvious reasons, outside of ASP, but those would not need to be
documented in the ASP.
At the least, it would help to have the document include text that explains
the
benefit of this step.
Where this came from, as I remember, is the translation from a new RR
type to a prefixed TXT query. If ASP is published using its own RR
type, one can do a query that gets the ASP record, and find out whether
the domain exists at all. If you substitute a prefixed TXT query, you
need to do a query for the domain itself, without the prefix, if you
want to find this out.
Checking for the existence of the domain is clearly a useful thing to
do, but it could be considered out of scope for ASP to check for the
existence of the domain, since a non-existent domain naturally does not
have a signing practices record (and we already know that). Another
justification might be caching, but I'd need to find out more about how
negative caching works: would a negative response to
_asp._domainkey.nonexistent.example.com result in a negative cache entry
for nonexistent.example.com? If so, step 2 might occur very quickly
(and locally), potentially eliminating the step 3 query for the parent,
which would probably not be cached.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html