ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] protecting domains that don't exist

2008-04-14 13:55:22
from [John Levine] [Permanent Link] 
You're confusing "commercial" concerns about [anti-]spoofing with
"engineering" concerns about what the DNS infrastructure can do.


Not really.  I'm talking about what a DNS based system like ADSP can
do rather than what some other hypothetical super duper anti-badness
system might do.


- Another way to have ADSP to cover an entire hierachy is to ...


Yes, there's a variety of hacks that would sorta kinda give you
subtree coverage.  To summarize lengthy discussions, they all suffer
from not really working (lists of known delegation points), not
working with some widely used software (zone cuts), not matching the
actual administrative organization of the DNS (zone cuts again), being
easily circumvented (limit tree walk to N levels), or usually a
combination of the above.

It is hardly a secret that spammers quickly adapt to any anti-spam
measures, so all this would do is to encourage them to exploit the
holes that the sorta kinda doesn't handle, while simultaneously
leading to stupid fights of the kind seen with SPF in which SPF
advocates claim that well established mail techniques are "forgery"
because SPF can't handle them.


ADSP's adoption as it stands will provide an incentive to locate A
records which, through administrator error, lack an associated ADSP
entry. This is not to say that a protocol should survive all
administrator errors, but introducing this sort of fragility is
unfortunate.


They can already use random names with A records to defeat checks for
non-existent domains, so I don't see how this makes the situation
worse.

Two more observations: One is the assumption that mail from subdomains
is somehow automatically equivalent to mail from the enclosing domain.
I don't see any reason for this to be true.  I have one opinion about
mail from foo(_at_)aol(_dot_)com, and a rather lower opinion of mail from
foo(_at_)327cb72e(_dot_)ipt(_dot_)aol(_dot_)com, without needing any help from 
ADSP.

The other is that if you're so desperate to provide complete ADSP
coverage of subdomains, you can do it right now with a specialized DNS
server that does the equivalent of synthesizing names from
_adsp._domainkey.*.example.com.  This is no worse a hack than the
sorta kinda approaches, but unlike all of them, it would actually
work.

R's,
John




_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] protecting domains that don't exist, Dave Crocker
Next by Date:  Re: [ietf-dkim] protecting domains that don't exist, Frank Ellermann
Previous by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Roland Turner
Next by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]