ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Issue 1535 - clarify need for domain existence check in the decision tree (step 2)

2008-03-18 11:27:04


Steve Atkins wrote:
With respect to an A record, its presence does tell you that the  
name is valid, but it does not tell you anything about ADSP  
support.  Initially there will be virtually no adoption of ADSP.  So  
what does finding an A record, but no _adsp record, tell you?

It tells you two things. It tells you that the domain owner is aware  
of that hostname, and that they did not choose to publish an _adsp  
record that covers it.

The latter assertion is incorrect.  The word "choose" is active.

During the likely very long adoption curve, there is no way to know whether 
they 
"chose" not to publish adsp or whether they didn't know about it.  These have 
very different semantics, I think.



And this gets to the nub of the matter, I think:

As with DKIM, ADSP tells you something when it is there, but tells you nothing 
when it isn't.  I think the A record check is trying to pretend that you can 
learn something when ADSP isn't explicitly present for that domain.

But that's only possible if you know that the organization supports ADSP, and 
you can't.

So, when the _adsp TXT is present, you know everything you need to know.

When it isn't, you do not know anything about the organization's practices, 
including not knowing whether it has any.

Really.


If a desired functionality is for a domain owner to be able to assert  
policy over all hostnames within their domain by publishing a finite  
number of _adsp records, then you need an additional step in the  
process.

The one-level hierarchy trick is the best you can do.

This effort to use the A record is overloading its semantics and you can't tell 
whether the domain owner intends the second meaning.

(BTW, I am being sloppy about referring to A, since I mean A, MX, or anything 
other than an _adsp TXT.)


As there will never be a legitimate use of a hostname that may be  
checked for an _adsp record that doesn't have any DNS record  
corresponding to it[3], asserting an ADSP fail for any case where  
there is not a corresponding record in DNS will not cause any  
unintended failures, 

My point is that the A, MX, whatever record doesn't add any ADSP-related 
information.

It is an extra DNS query that provides no ADSP information.

d/

ps. I'm using 'ADSP' since it looks like it has rough consensus, not because 
I'm 
part of that consensus, which I am...

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>