[ietf-dkim] Upper LeveL Domain

Douglas Otis dotis at mail-abuse.org
Thu Apr 19 18:03:07 PDT 2007 

On Apr 19, 2007, at 4:19 PM, Hallam-Baker, Phillip wrote:

> The problem here is that REGARDLESS of whose scheme you use you are  
> going to need to deal with the problem that DNS wildcards do not  
> have the semantics that you would want as an administrator. As we  
> have discussed ad-nauseam, a DNS wildcard only applies to nodes in  
> the zone which do not exist.
>
> So to make any of these schemes work we need a DNS server with the  
> ability to manage macro-wildcards. This applies to Jim's schemes  
> and to my schemes and to anyone else's schemes.
>
> If we have to add this capability to the DNS server there is not a  
> significant cost to an XPTR record.
>
> But the key advantge here is that anyone can start DKIM signing and  
> publishing SSP records today. That is not the case for a new RR.

The XPTR is a clever concept, but seems unlikely to be quickly  
embraced.  Regardless of the record used, this record accompanies all  
other records found at each leaf.  While scripts can be used to  
populate a zone, automation needs to be endorsed and assured secure.   
This represents a sizable investment with little added benefit from a  
performance standpoint.

Publishing a list of domains run by registries provides far greater  
performance for obtaining domain policy and reputation.  This type of  
list does not demand complex changes to DNS or usurping a RR selected  
from the few supported in the corporate environment.  This list  
requires occasional maintenance, which is why it would be good to  
standardize format and centralize where it is published.

Not as bad as distributing a host file, however every company  
tracking domain reputation heavily depends upon this essential  
information.  Rather than each company individually generating their  
own list, DKIM's base specification compatibility depends upon this  
list being generally accepted and standardized as these domains are  
to be excluded validating sub-domains.  A specialized RR could even  
be published by SLDs to signal the domain's use by a registry, which  
could help with standardization efforts. : )

Mark's suggestions regarding domain depth offering sub-policies  
(assuming sub-polices are less restrictive) seemed reasonable.

-Doug

More information about the ietf-dkim mailing list