Arvel Hathcock wrote:
ADSP will push _all_ attackers to move to "i-look-like-domain.com."
I view this as a good thing, others don't and I'm struggling to
understand why.
Trying a summary, _adsp._domainkey.bank.example. can implicitly
also protect foobar.bank.example. At first glance that is a nice
to have feature. Looking closer the opposition can simply abuse
foobar-bank.example. (replacing a dot) or foo.bar.bank.example.
(adding a dot) to get around _adsp._domainkey.bank.example. So
ASP might do less than you hope, but that is not the main point:
IFF foobar.bank.example. is a separate zone below bank.example.
you'd get a limited sitefinder-verisign.museum. effect for ADSP,
and that is a very seriously "bad thing", foobar.bank.example.
would be forced to "opt out" of this invasion of its zone, or
bank.example. would need to close out foobar with t=s. OTOH we
are at the point where discussing this for another year likely
won't add new insights.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html