[ietf-dkim] Issue #1265: Signing by parent domains
Steve Atkins
steve at blighty.com
Mon May 29 20:53:19 PDT 2006
On May 29, 2006, at 8:07 PM, Barry Leiba wrote:
>> indeed. which prompts the obvious question: why are folks
>> pursuing this.
>
> And I think the thread has gone on long enough with enough
> participants for me to say that I see strong consensus that this
> particular concern is not shared.
>
> This subtopic is closed. Let's look at any other reasons to remove
> the parent-domain point. Is there one?
It's ugly and it adds significant complexity in analysing the system,
and some lesser spec and implementation complexity.
The only valid reason to require it, I think, is for the benefit of
users who use wildcard MXes, to enable them to make up subdomains on-
the-fly, and who send mail using from addresses in those subdomains.
Given that DK puts its information to the left of the domain-cut it's
unavoidable in that case. I don't know how widespread this usage of
mail sent (not received) with domain parts that map onto wildcard
MXes with arbitrary subdomains is. I suspect it doesn't actually happen.
I think that if it's used in other cases it will be a fairly strong
sign of bad architectural design on the part of the sender, but
there's nothing that obliges a sender to use this misfeature in those
cases, and I don't see any security issues with it being supported,
other than complexity.
It's an ugly wart, but I see more harm in arguing about it than
implementing it.
Cheers,
Steve
More information about the ietf-dkim
mailing list