On Apr 9, 2008, at 11:43 AM, MH Michael Hammer (5304) wrote:
In response to the question Dave asks, I like the idea of providing
the option of protecting an entire (sub)tree within in a domain. My
question to the gurus is whether there is a clean way to identify
"main" domains below a TLD. For the generics this would appear to be
straight forward. For country TLDs I'm not so sure. Some country
TLDs might always require a .co.TLD or .edu.tld (or something
similar). Not only is there inconsistency across such TLDs, there
may be inconsistency over time as far as requirements within a TLD.
What started me thinking along this line was allowing a base domain
(if you will) to make an assertion that ALL subdomains only send
signed mail (or never sign mail or ?)
Technically, Dave Crocker is right. The issue he raises is valid
since message content is independent of SMTP. When taken to heart,
one can not expect _any_ DNS records relate to what might be email-
addresses contained within the messages.
One simple assertion can overcome this issue. Declare protections
afforded by ADSP _only_ relate to email-addresses exchanged using
SMTP. With this statement, there would be MX or A DNS resource
records required by the domain. Presence of these records therefore
offers a means to validate the domains.
To put an upper limit on the number of policy related DNS transactions
that could increase over time, require publishing MX records with any
SMTP policy record. This would place an upper limit on the number of
transactions needed to determine presence of SMTP policy. The first
step in evaluating SMTP policy would be requesting an MX record. To
determine whether the domain might be valid for SMTP, a subsequent
transaction could check for A records. Until A record discovery
becomes deprecated, and to avoid tree walking, domains seeking
protection should be required to publish ADSP records at every node
there is also A records. The existence of policy records in the
absence of MX records would also refute any message comes from the
domain. As policy records would need to be published in conjunction
with A records, the requirement that policy be qualified by MX records
eliminates any need to also publish bogus MX records as have been
suggested as an alternative strategy.
Acceptance of messages independent of SMTP delivery is separate matter
not covered by ADSP. This could be handled through a scope statement
in the ADSP record, but this field is currently missing. The way
forward would be to declare that ADSP pertains to SMTP exchanged
messages. When handling a mixture of messages exchanged using SMTP
and other protocols, there will be potential conflicts. When the
exchange protocol is not apparent to recipients, these messages may be
seen as not complaint with ADSP assertions when a default assumption
of SMTP is used.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html