ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] protecting domains that don't exist

2008-04-14 12:40:47
from [Douglas Otis] [Permanent Link] 

On Apr 14, 2008, at 6:53 AM, Wietse Venema wrote:


John Levine:

As someone pointed out, you can interchange steps 1 and 2 in the  
specification, putting the existence check first.  And then, of  
course, you can decide that the existence check is done outside  
ADSP.  If the existence check is removed, I would advocate putting  
in language that says an existence check SHOULD be performed  
before doing ADSP.


That seems reasonable.  My objection (and I think also Dave's) is  
not that it's a bad idea, but that it's not part of DKIM or ADSP.


+1

It's unfortunate that DNS won't let us specify ADSP policies that  
cover only non-existent originator domain names, but wishing for  
such an ability does not mean that we suddenly can.


RFC 2822 does not depend upon SMTP as being the message exchange  
protocol.  In addition, future message exchange protocols may depend  
upon different address resolution protocols, such as PRNP.  PPNP  
avoids any reliance upon DNS, for example.  Any protocol that might  
replace DNS may also adopt a strategy of DNS independence.  Unless  
ADSP specifies policies are limited to SMTP, it would be incorrect to  
conclude existence checks can or should depend upon DNS resource  
records.


The NXDOMAIN result for the originator domain cannot(*) correspond  
with an ADSP policy (one of "unknown" / "all" / "discardable"), and  
therefore it cannot be part of ADSP.


Even a domain's existence can not depend upon NXDOMAIN results.  This  
negative assertion depends upon the lack of wildcard use by the  
domain, network provider, and TLD provider.  Such reliance seems  
highly problematic.

ADSP should make a statement that only _SMTP_ message exchanges are  
protected by policy assertions.  By specifying which transport is  
being protected, then existence checks can depend upon MX or A  
resource records being found in DNS.  These checks are common for  
RFC2821 MailFrom addresses.  However, ADSP is assuming this existence  
checking scheme can extend to an _unspecified_ address space.  ADSP is  
the only place where transport protection can be specified.  By  
declaring the address space pertains to specifically SMTP exchanged  
messages, then SMTP discovery records can confirm existence or the  
apparent absence of SMTP related domains.  Do not assume the lack of  
NXDOMAIN confirms existence.  In addition, NXDOMAIN does not confirm  
non-existence, even when limited to SMTP.

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] protecting domains that don't exist, Frank Ellermann
Next by Date:  Re: [ietf-dkim] protecting domains that don't exist, Wietse Venema
Previous by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Charles Lindsey
Next by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]