On 8/17/09 10:00 PM, deiva shanmugam wrote:
Hi,
Could someone let me know, is querying the policy record essential for
DKIM at verification side as DKIM is derived from Domainkeys?
In RFC 4871, usage of policy record was not clearly mentioned. But in
section 6.3, the RFC says "when communicating with a peer who, by prior
agreement, agrees to only /send signed messages/" and in section 8.4,
RFC says "A second security issue related to the DNS revolves around the
increased DNS traffic as a consequence of fetching selector-based data
as well as /fetching signing domain policy/." So, i'm not sure whether
the policy record in DNS TXT record in _domainkey.<domain_name> need to
be queried for DKIM?
Some might view policy records as a means to offer advice in creating
phished lists. These lists identify domains suffering from being
spoofed, where such policy records grant permission to reject
non-compliant messages. Some receivers might discard non-compliant
messages, which of course could place messages forwarded through a
mailing list at risk.
These records are unlikely queried on a per message basis at some
negative caching rate, as this would be needed for every email domain,
and not just for those with a DKIM signature. Instead, a periodic
sampling of DKIM domains or a third-party service could consolidate into
a list the domains in need of stringent handling from those that have
been seen using DKIM.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html