On Apr 14, 2008, at 6:53 AM, Wietse Venema wrote:
John Levine:
As someone pointed out, you can interchange steps 1 and 2 in the
specification, putting the existence check first. And then, of
course, you can decide that the existence check is done outside
ADSP. If the existence check is removed, I would advocate putting
in language that says an existence check SHOULD be performed
before doing ADSP.
That seems reasonable. My objection (and I think also Dave's) is
not that it's a bad idea, but that it's not part of DKIM or ADSP.
+1
It's unfortunate that DNS won't let us specify ADSP policies that
cover only non-existent originator domain names, but wishing for
such an ability does not mean that we suddenly can.
RFC 2822 does not depend upon SMTP as being the message exchange
protocol. In addition, future message exchange protocols may depend
upon different address resolution protocols, such as PRNP. PPNP
avoids any reliance upon DNS, for example. Any protocol that might
replace DNS may also adopt a strategy of DNS independence. Unless
ADSP specifies policies are limited to SMTP, it would be incorrect to
conclude existence checks can or should depend upon DNS resource
records.
The NXDOMAIN result for the originator domain cannot(*) correspond
with an ADSP policy (one of "unknown" / "all" / "discardable"), and
therefore it cannot be part of ADSP.
Even a domain's existence can not depend upon NXDOMAIN results. This
negative assertion depends upon the lack of wildcard use by the
domain, network provider, and TLD provider. Such reliance seems
highly problematic.
ADSP should make a statement that only _SMTP_ message exchanges are
protected by policy assertions. By specifying which transport is
being protected, then existence checks can depend upon MX or A
resource records being found in DNS. These checks are common for
RFC2821 MailFrom addresses. However, ADSP is assuming this existence
checking scheme can extend to an _unspecified_ address space. ADSP is
the only place where transport protection can be specified. By
declaring the address space pertains to specifically SMTP exchanged
messages, then SMTP discovery records can confirm existence or the
apparent absence of SMTP related domains. Do not assume the lack of
NXDOMAIN confirms existence. In addition, NXDOMAIN does not confirm
non-existence, even when limited to SMTP.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html