ietf-dkim
[Top] [All Lists]

[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

2008-04-06 23:11:41
Folks,

This issue encompasses some others, but I believe it is more basic and 
therefore 
informs the others and therefore needs to be resolved separately:

    There is a basic difference between trying to protect a single domain name, 
versus trying to protect an entire sub-tree.

1.  The DNS was not designed with sub-tree operators.  The wildcard mechanism 
is 
a very narrowly-defined capability and is useless in the face of 
underscore-based naming, since the underscore node really defines an attribute 
of the domain name it is under, rather than defining a true "name".

     What this leaves us with is attempting to invent mechanisms that turn out 
to do only a partial job, at best.


2.  Some of the sub-tree effort is for administrative convenience.  Some is for 
expanded semantics.

     It's not clear that the specification is clear about this distinction.

     It is not clear that the specification is clear about the motivations that 
make it mandatory to add sub-tree mechanisms to the specification.


3.  At least one of the sub-tree mechanisms is attempting to glean information 
from the absence of publisher action.  Let me explain:

     I believe the desire with checking the A record is similar to the idea 
behind having ADSP in the first space.

     That is:

         a) DKIM is for declaring the presence of an accountable identity.  If 
a 
signature is present, you know something.  If it is absent, you know nothing 
extra.

         b) ADSP attempts to tell you something, in the absence of a signature. 
It does that by defining something else that must be present.  If the ADSP 
record is present, you know something.  If it is absent, you know nothing extra.

         c) Checking for the presence of an A record is intended to try tell 
you 
something in the absence of an explicit action by the domain owner.  That's 
it's 
flaw: It is intuiting ADSP information from non-ADSP action.

     While there is nothing wrong with checking the A record, it's semantics 
have literally nothing (directly) to do with ADSP.


All of the above is of course implies some specific actions, but for this note, 
my real goal is to get much more explicit discussion and consensus about the 
difference between protecting a single domain name, versus protecting a tree of 
names, and to get consensus about each of these as separable goals.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html