Tony Finch:
On Sun, 25 May 2008, Eliot Lear wrote:
Some will argue that we don't know the right answer and that operational
experience may teach us differently.
We already have years of operational experience of validating domains
according to RFC 2821 section 5.
You are seriously advocating that verifiers connect to an authoritative
SMTP server for the author domain? I remind you that the mere
existence of an A/AAAA/whatever record does not "validate" something
as an author domain. It could be a device that does not even have
an SMTP implementation.
I find it embarassing to see people keep assuming that the bad guys
will play by the rules. In this case, people are assuming that the
bad guys will use only those author domains that resolve to valid
SMTP server implementations.
DNS lookup alone cannot validate an author domain, so one might
just as well use the least complicated mechanism. The SSP NXDOMAIN
check is sufficient; the RFC 2821 section 5 MX/A/AAAA lookups create
overhead without actual security benefit.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html