ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] NEW ISSUE Re: requirement for one ADSP record per DNS entry makes ADSP undeployable

2008-05-27 09:54:47
from [Steve Atkins] [Permanent Link] 

On May 27, 2008, at 2:16 AM, Eliot Lear wrote:


- sorry - subject line error on my part (that's the only change).

Eliot Lear wrote:

In order for ADSP to be of use, it must be easily deployable by
enterprises and service providers.  Otherwise, there is no point in
bothering to check for answers.


Very few senders are going to care about or be able to use ADSP.

Those senders want as many receivers as possible to check ADSP.

So, in order for it to be successful, you need a small number of well
motivated senders to publish records (a one-time effort, along with
a little ongoing, easily automated, maintenance) and you need a
large number of much less motivated receivers to check ADSP on
every single one of hundreds of millions of inbound emails, and their
myriad MTA providers to implement efficient code to do so.

Given that, it's clear that for there to be any chance of successful
deployment is going to be dominated by the receivers. Simplifying
the job for the receiver as much as possible is a requirement for
getting that deployment.

If that means moving some of the pain, even a disproportionate
amount of pain, onto those few, well motivated senders then that's
a good tradeoff.


The absence of a parent label check
will mean that enterprises must list an ADSP record for each and  
every
DNS entry they have.  It is not unusual for enterprises to have  
tens of
thousands of DNS entries.


It's not unusual for them to have a deep DNS tree, either. A single
level tree walk will only benefit those enterprises who use shallow
DNS trees anyway.


The vast majority of enterprises make use of
provisioning systems that takes years to update and deploy.  ADSP
deployment is now dependent on those implementations.  Because of  
that
ADSP adoption can be expected to lag dramatically behind DKIM.  The
result will be that recipient sites will infer policy by the  
existence
of records and hence implicitly implement a strict test.

Hence as things stand I expect ADSP to never be deployed,


I certainly don't expect it to be widely deployed by senders on  
arbitrary
existing domains. If there is widespread deployment I expect most
of it to be on customer-facing ecommerce and banking domains, not
existing enterprise domains. Really, cisco and similar corporations
are not particularly likely phishing targets.


and I request
active consideration of the provisioning systems in use.



If a sender isn't prepared to do the one-time effort to publish some
DNS records, then ADSP clearly isn't important to them.

Cheers,
   Steve

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] why we should clearly specify domain existence, Frank Ellermann
Next by Date:  Re: [ietf-dkim] Fwd: Re: domain existence check, Bill.Oxley
Previous by Thread:  [ietf-dkim] NEW ISSUE Re: requirement for one ADSP record per DNS entry makes ADSP undeployable, Eliot Lear
Next by Thread:  Re: [ietf-dkim] NEW ISSUE Re: requirement for one ADSP record per DNS entry makes ADSP undeployable, Eliot Lear
Indexes:  [Date] [Thread] [Top] [All Lists]