Steve Atkins wrote:
On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:
Again, to repeat what I said at the mic:
The current, 3-step procedure is certainly an improvement, however I
do not
understand the need for the second step, in terms of ASP
functionality.
In any early discussion of this, I believe Jim said he thought it
was a
carry-over from an earlier version of the spec where the need was
more clear.
In any event, I think the current question is: What is it about ASP
-- as
opposed to concerns outside of ASP's scope -- that requires checking
for domain
existence?
Without that check, an unsigned mail from
foo(_at_)bar(_dot_)baz(_dot_)ebay(_dot_)com will be
considered to comply with ASP unless there is an ASP record for
_asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
It's difficult to publish a wildcard ASP record with standard DNS
servers. So there is no easy way to publish an ASP assertion for "my
domain and all subdomains of it". It is only possible to publish an
ASP assertion for a finite list of hostnames.
The domain existence check means that only a defined number of ASP
records need to be published (the number of hostnames you publish
would be an upper bound unless you're using wildcards anywhere else in
your DNS, in which case all bets are off).
Removing the check removes the ability for a domain owner to make an
ASP assertion about all possible subdomains of that domain. It seems
within scope for ASP.
Steve, thank you for refreshing my memory on this. I would state it a
little differently now since SSP doesn't really have a "comply", that an
unsigned message from the domain bar.baz.ebay.com will be considered to
have an "Unknown" ASP unless...
So yes, it is important that we keep this.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html