Wietse Venema wrote:
Jim Fenton:
Dave Crocker wrote:
J D Falk wrote:
Wietse wrote:
How would a receiver discover the top-level domain given example.com,
example.ac.uk, example.org.au, etc.?
The same way we do now: annoying, manually maintained case statements.
This relies on a resource that is not specified in the document, is not
publicly standardized, and changes.
Not such a good thing.
Exactly what terrible outcome does this produce if this is done wrong?
It's unlikely that com, ac.uk, or org.au are going to publish ADSP
records. So there is an unnecessary query to the parent, which is
probably cached anyway (15 minutes for com, 1 day for ac.uk).
Jim,
You deleted the context of the original question: a mechanism that
allows organizations to advertise a policy in one place that applies
to their entire DNS tree.
I didn't delete anything but Dave's signature line and the mailing list
footer. Please check the thread. I'm very sensitive to being taken out
of context, and try not to do the same.
What is in the ssp-03 draft is not a mechanism to advertise a policy in
one place that applies to their entire DNS tree. It is a mechanism to
advertise a policy that applies to leaf nodes (only) one level down,
such as A records within the domain.
In the absence of a solid algorithm that determines the top of an
arbitrary organization's DNS tree, verifiers will have to walk up
the entire DNS tree from the bottom.
Or those publishing ADSP records will need to do so for each of their
subdomains (as distinct from hostnames). Of course, hostnames are much
more numerous than subdomains, so this reduces the publication
requirement significantly.
Thus, ADSP becomes a tool thay can be mis-used for trivial
amplification attacks by sending rfc2822.from addresses with many
domain levels. That is not a good thing for a protocol that attempts
to improve security. The prime directive should be "do no harm".
Several revisions back, SSP had provision for a record search that was
either unbounded or 5 layers deep, which was abandoned for this (among
other) reasons. The current draft, and the proposal on the table, is to
perform a maximum of one additional lookup if an ADSP record is not
found and the domain exists. I don't see that as introducing a
significant amplification or make-work attack.
This is one of the reasons I react so strongly to the term "tree walk"
for this. It's a single additional query, maximum.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html