Siegel, Ellen wrote:
Jim, in your presentation to the ESPC you brought up the fact that one
reason to encourage sub-domains to publish 'unknown' ADSP records was so
that they wouldn't inadvertently inherit an ADSP record from a parent
domain.
As long as such inheritance is possible, i.e. that a subdomain can
automatically inherit from a parent domain, it must be true that we're
discussing subtrees.
There is an important difference. The subtree of example.com includes
everything ending in .example.com such as a.example.com, b.example.com,
and even f.e.d.c.b.a.example.com. ADSP does not cover the subtree; it
covers only labels in the immediate example.com domain.
If we retain that capability, inadvertent or not, in the spec, I think
we need to call it out explicitly and discuss how to counter it.
There are two ways to counter that capability: either the subdomain
publishes an ADSP record, or the parent domain publishes its ADSP record
with the t=s flag as described in section 4.2.1 (or, conceivably,
both). Another possibility, I suppose, is to apply an Author Signature
to the message which makes ADSP irrelevant as long as it isn't broken.
However, I agree with Dave that it may be cleaner to just exclude the
possibility of inheritance rather than try to deal with the fallout.
It's not cleaner for a domain that wishes to publish ADSP and has
thousands of hostnames in the same domain now faces the prospect of
publishing thousands of ADSP records, and doesn't have tools to automate
this process.
My comment at ESPC was that I believe it would be a Best Practice for
Coalition members to routinely publish, or have published, explicit ADSP
records for domains that they send from.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html