ietf-mailsig
[Top] [All Lists]

Re: DKIM KEY SSP Override Option [was Re: The cost of choices]

2005-07-30 13:15:20

Michael Thomas wrote:

We've thought quite a lot about this and it really looks like the only reasonable way to deal with this is to segregate the traffic into different subdomains (yes, I hear the groans) with different policies. The alternative is that you need to enumerate all of the policies at one level of the DNS tree which is unattractive
given MTU considerations.  Thus, you'd want:

_policy._domainkey.biz.santronix.com. IN TXT "o=!;"

_policy._domainkey.santronix.com. IN TXT "o=-;"

or something like that.

There is one other option, which is to make signing policy granular at the user level (o=^, or USER in Hector's terminology). This needs more analysis, but may involve a lot of DNS lookups (plus the potential for an attacker to cause more by sending lots of messages from random addresses in the domain).

-Jim

<Prev in Thread] Current Thread [Next in Thread>