[ietf-dkim] New Issue: Applicability of SSP to subdomains
hsantos at santronics.com
Fri Dec 8 18:50:22 PST 2006
Jim Fenton wrote:
> Hector Santos wrote:
>> Jim Fenton wrote:
>>> The question is simply, "should it be possible for an SSP record
>>> published by example.com to also apply to sub.example.com [for any
>>> value of sub]".
>> Yes, but allowance is made for the sub as well. Isn't the specs
>> currently written as such?
> draft-allman-dkim-ssp does attempt to address subdomains, but there are
> problems with its methodology that I presented at the WG meeting. I know
> you weren't there, but if you look at the slides at
> http://www3.ietf.org/proceedings/06nov/slides/dkim-3.pdf, especially
> slide 4, it discusses this further.
Thanks, printing it out now.
> But this question is about the SSP requirements draft. Currently the
> requirements draft is silent on this issue, and not all of the drafts
> presented at the WG meeting address propagation of SSP to subdomains,
> which is what prompts me to ask the question. Lookup order would then
> be a secondary question if we decide that we need to address subdomains.
I agree. I think it fits and we need it simply because from the domain
owner standpoint sub-email-domains will mostly likely have different
purposes for their existence. Everyone may apply it differently, but I
think it fits for DKIM purposes as well.
Technically, look at the print slide #4, the "Solution:" item:
Given D.C.B.A, does this imply the lookup is?
and you stop at the first NXDOMAIN?
So for example, lets say their are policies written for
A Policy 1 - company wide
B.C Policy 2 - subdomain
C.B.A Policy 3 - subdomain
Which policy is applied for D.C.B.A? Policy 3?
Did I read that slide right?
If so, what is technically wrong starting at the bottom first, with the
direct domain first, then if NXDOMAIN, go to the next base domain?
hmmmm, I think I see why you want to start at the base first, to cover
the entire domain policy.
But maybe we need a flat in the policy that says the specific sub-doman
policy should be looked up.
So you always start at the base (A), then if the flag does not say to
try the sub-domain, then this can serve as a short circuit to
minimize lookups. But if it does, then the direct lookup is done.
More information about the ietf-dkim