[ietf-dkim] Re: New Issue: Use of XPTR records in SSP
Douglas Otis
dotis at mail-abuse.org
Wed Apr 18 11:51:40 PDT 2007
On Apr 18, 2007, at 11:08 AM, Frank Ellermann wrote:
> Really, I can't judge it. Whatever the folks here decide, please
> check it with some "namedroppers" before we waste months revisiting
> ratholes.
Aside from a few issues remaining with DNSSEC, such as DLV, little
seems to show up on the radar.
There were several major players to claim a lack of interest in re-
visiting automation of a new type of wildcard. Whether that
qualifies as a rathole or fatigue, it is hard to tell. A new DNS
mechanism offering protocol policy requires extensive review, but
this seems highly unlikely.
DKIM protection requires:
1) Trust established with the signing domain.
2) Clearly marked messages validated by trusted signing domains.
SSP plays _no_ role in providing either of these critical points now
offered by existing plugins.
The general assumption driving SSP is that it provides a means to
reject non-complaint messages at the MTA.
Rejection at the MTA offers an allusion of protection. Protection
through rejection alone remains prone to look-alike and cousin domain
exploits, growing ever more problematic with the introduction of
Internationalizations. Dependence upon an allusion of protection
creates a larger number of victims. There can be no half measures
with respect to security.
-Doug
More information about the ietf-dkim
mailing list