[ietf-dkim] New Issue: Applicability of SSP to subdomains

Hector Santos hsantos at santronics.com
Fri Dec 8 18:50:22 PST 2006 

Jim Fenton wrote:
> Hector,
> 
> Hector Santos wrote:
>> Jim Fenton wrote:
>>
>>> The question is simply, "should it be possible for an SSP record 
>>> published by example.com to also apply to sub.example.com [for any 
>>> value of sub]".  
>>
>> Yes, but allowance is made for the sub as well.  Isn't the specs 
>> currently written as such?
> draft-allman-dkim-ssp does attempt to address subdomains, but there are 
> problems with its methodology that I presented at the WG meeting. I know 
> you weren't there, but if you look at the slides at 
> http://www3.ietf.org/proceedings/06nov/slides/dkim-3.pdf, especially 
> slide 4, it discusses this further.

Thanks, printing it out now.

> But this question is about the SSP requirements draft.  Currently the 
> requirements draft is silent on this issue, and not all of the drafts 
> presented at the WG meeting address propagation of SSP to subdomains, 
> which is what prompts me to ask the question.  Lookup order would then 
> be a secondary question if we decide that we need to address subdomains.

I agree. I think it fits and we need it simply because from the domain 
owner standpoint sub-email-domains will mostly likely have different 
purposes for their existence.  Everyone may apply it differently, but I 
think it fits for DKIM purposes as well.

Technically, look at the print slide #4, the "Solution:" item:

Given D.C.B.A, does this imply the lookup is?

   A
   B.C
   C.B.A
   D.C.B.A

and you stop at the first NXDOMAIN?

So for example, lets say their are policies written for

   A             Policy 1 - company wide
   B.C	        Policy 2 - subdomain
   C.B.A         Policy 3 - subdomain
   D.C.B.A       NXDOMAIN

Which policy is applied for D.C.B.A?    Policy 3?

Did I read that slide right?

If so, what is technically wrong starting at the bottom first, with the 
direct domain first, then if NXDOMAIN, go to the next base domain?

hmmmm, I think I see why you want to start at the base first, to cover 
the entire domain policy.

But maybe we need a flat in the policy that says the specific sub-doman 
policy should be looked up.

So you always start at the base (A), then if the flag does not say to 
try the sub-domain, then this can serve as a short circuit to
minimize lookups.  But if it does, then the direct lookup is done.

Make sense?

---
HLS

More information about the ietf-dkim mailing list