ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Issue 1535 - clarify need for domain existence check in the decision tree (step 2)

2008-03-12 12:23:53
Steve Atkins wrote:
On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:

  
Again, to repeat what I said at the mic:

The current, 3-step procedure is certainly an improvement, however I  
do not
understand the need for the second step, in terms of ASP  
functionality.

In any early discussion of this, I believe Jim said he thought it  
was a
carry-over from an earlier version of the spec where the need was  
more clear.

In any event, I think the current question is:  What is it about ASP  
-- as
opposed to concerns outside of ASP's scope -- that requires checking  
for domain
existence?
    

Without that check, an unsigned mail from 
foo(_at_)bar(_dot_)baz(_dot_)ebay(_dot_)com will be  
considered to comply with ASP unless there is an ASP record for  
_asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com

It's difficult to publish a wildcard ASP record with standard DNS  
servers. So there is no easy way to publish an ASP assertion for "my  
domain and all subdomains of it". It is only possible to publish an  
ASP assertion for a finite list of hostnames.

The domain existence check means that only a defined number of ASP  
records need to be published (the number of hostnames you publish  
would be an upper bound unless you're using wildcards anywhere else in  
your DNS, in which case all bets are off).

Removing the check removes the ability for a domain owner to make an  
ASP assertion about all possible subdomains of that domain. It seems  
within scope for ASP.
  

Steve, thank you for refreshing my memory on this.  I would state it a 
little differently now since SSP doesn't really have a "comply", that an 
unsigned message from the domain bar.baz.ebay.com will be considered to 
have an "Unknown" ASP unless...

So yes, it is important that we keep this.

-Jim


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>