On Fri, 2005-02-11 at 16:30 -0800,
domainkeys-feedbackbase01(_at_)yahoo(_dot_)com
wrote:
Perhaps a better name is an optional revocation identifier? If
present, the recipient should check the revocation list (aka the
presence of the corresponding DNS entry).
I think beneficial cacheability is suspect because the domains most
likely to issue revocation identifiers are large free providers who
will generate a huge number of ids and recipients domains are likely
to see a small random number of these during any caching period.
There are typically several queries invoked to resolve a DNS lookup.
With respect to caching such a "revocation identifier" against a large
domain, only a single remaining query would normally be required. The
response would entail sorting through a small number of these
identifiers and represent the smallest packet practical for a
connectionless exchange. Negative caching is normally less than a few
hours, where too long would defeat its utility.
This approach is ubiquitously employed to investigate the reputation of
an IP address before accepting mail. Those identifiers discovered
spamming would return an A record, retained in cache with a long TTL.
This selective retention allows immediate rejection of abusive messages
to protect resources and curtail potential harm. Flushing non-abusive
identifiers over a shorter time prevents the cache from growing too
quickly. It would be difficult to design a better scheme.
For the large provider, this should represent much less of a burden when
compared to per-user keys. Again, this would be an option.
-Doug