Steve Atkins wrote:
Without that check, an unsigned mail from
foo(_at_)bar(_dot_)baz(_dot_)ebay(_dot_)com will be
considered to comply with ASP unless there is an ASP record for
_asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
...
The domain existence check means that only a defined number of ASP
records need to be published (the number of hostnames you publish
would be an upper bound unless you're using wildcards anywhere else in
your DNS, in which case all bets are off).
(Thanks for Barry for reminding me to review this.)
Steve,
Many apologies, but I am simply not understanding this.
Just to make sure we are on the same page about the hierarchy trick in the
spec:
The one-level-up hack might be useful for saving some administration, but
it
does not provide meaningful "protection", since all an attacker has to do is
use
a level down.
With respect to an A record, its presence does tell you that the name is valid,
but it does not tell you anything about ADSP support. Initially there will be
virtually no adoption of ADSP. So what does finding an A record, but no _adsp
record, tell you?
I think what this is uncovering is that adoption of ADSP requires ensuring ADSP
query results for all valid names. In that context, I guess I can see the
benefit of having an A record serve to define what names are valid.
Mumble. This is still feeling a bit squishy to me, although at least I'm
starting to see the possibility of its being useful. (I think the doc at least
is going to have to be much more clear about its role.)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html