ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant

2008-05-27 12:24:47
from [Douglas Otis] [Permanent Link] 

On May 27, 2008, at 11:20 AM, Eliot Lear wrote:


Dave Crocker wrote:

...  New insight, changed conditions, or the like.
What has changed, Eliot?


John (and others - to be fair) have repeatedly mischaracterized as a  
tree walk a parent lookup.  The two are very different.


Inducing transactions against parent domains when receiving messages  
containing spoofed addresses (approaching trillions per day) involves  
a domain not otherwise associated with the service.  Suggestions that  
these domains can react by publishing bogus MX records as their means  
to mitigate the increased transactions is also impractical and  
outright unfair.  Such methods are based upon a desire to not impose  
any requirement upon Author Domain validity, except in the case where  
a sending domain asserts this desire.  Why not allow receiving hosts  
to decide whether non-SMTP message addresses are acceptable based  
solely upon positive evidence of SMTP being supported directly by the  
domain?  Don't inundate parent domains handling perhaps millions of  
sub-domains with non-terminated transactions regarding practices not  
within their bailiwick.


It is clear to me that confusion has ensued over precisely that  
point.  I stated this to John and then he repeated the false  
assertion.  Perhaps he thinks it's a small point - it is not.  John  
is correct to point out that some time ago there WAS a tree walk,  
but that has been gone for - well, quite some time.


A journey of a thousand domains still starts with the first step.   
Even walking up one level can lead to similar problems as that of a  
walk up to the TLD.

On a similar topic regarding practicalities:

Publishing ADSP at every host can be simplified by eliminating the  
"_domainkey" prefix.  If a domain wishes to have a provider publish  
this record, it can delegate "_adsp.example.com" just as easily as it  
could delegate "_domainkey.example.com".  When a domain wishes to  
delegate a portion of their "_domainkey" domain, this will require  
ADSP records to be published separately anyway.  Injecting  
"_domainkey" above each ADSP policy record adds unnecessary overhead.   
There should not be an expectation that some third-party email  
provider will be able to satisfy this need for all hosts either.  As  
least delegating just "_adsp" domains for the purpose of publishing  
records at unused domains will not expose the domain to providers able  
to spoof signed email from these domains.

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Eliot Lear
Next by Date:  Re: [ietf-dkim] why we should clearly specify domain existence, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Eliot Lear
Next by Thread:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]