tree walking (was - Re: [ietf-dkim] user level ssp)
dotis at mail-abuse.org
Wed Sep 6 16:25:30 PDT 2006
On Sep 6, 2006, at 4:00 PM, william(at)elan.net wrote:
> Actually your tree-walking in general is what's most troublesome to
> me. This is what would cause the most problems and most extra
> queries and cache misses (I know NXDOMAIN can be cached but don't
> assume you can rely on it). And I don't think this will fly during
> last-call and/or when DNS folks see this.
A scheme could offer protection by annotating assured valid email-
addresses of those also found within the address-book. This list of
email-addresses can be enhanced with local-parts added via policy.
With this scheme there is _no_ need to walk label trees. This
protection does _not_ depend upon blocking look-alikes or spoofed
DKIM requires some form of annotation, as valid signatures are
transparent by design. Blocking all bad actors is not practical. By
depending upon the address book, not providing bad actors any
assuring annotations can be achieved in most cases without any
additional transactions beyond just verifying the signature. Some
additional transactions might extend the list of email-addresses
being annotated, or extend the assurance of valid email-addresses by
way of associations.
More information about the ietf-dkim