Date: Mon, 7 Apr 2008 14:32:25 -0700
From: dhc(_at_)dcrocker(_dot_)net
To: robert(_at_)barclayfamily(_dot_)com
CC: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a
domain tree
robert(_at_)barclayfamily(_dot_)com wrote:
Like others I am guessing that you are referring to section 4.2.2 step 2.
Yup.
Since the domain doesn't exist the administrator can't have
been expected to create a policy for it so error seems like the right answer
to me.
That presumes the goal of protecting an entire sub-tree.
Absent that goal, the goal is to cover domains that have ADSP records. Very
different scope of effort.
I think I would describe my goal more narrowly than that. I don't think that
any ADSP record should be protecting anything more than the exact domain the
record is entered for. I also think it is worthwhile for it to be possible for
a domain administrator to be able to cover everything within his administrative
control with their own records if they want to do that.
The case we're talking about here is not whether or not it is worthwhile to
protect the whole domain sub-tree but what to do when encountering something
that is definitionally NOT part of the domain sub-tree (remember we're talking
about NXDOMAIN cases here only, not intuiting anything about any actual
domains). Since these things are not domains then saying that searching for a
domain policy for them returns an error seems entirely reasonable to me.
Robert
_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_042008
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html