[ietf-dkim] SSP issues

[Douglas Otis]

On May 30, 2007, at 4:54 PM, william(at)elan.net wrote:

>
>> (3) Upward query vs. wildcard publication.  27 messages in  
>> discussion from 15 people.  Most of the discussion was a rehash of  
>> the idea of associating semantics with DNS zone-cuts, which we had  
>> already discussed and rejected.  I have also been trying to get an  
>> opinion from DNSOP on the idea of a one-level upward search (which  
>> I think solves 90% of the problem), but haven't gotten any response.
>
> Dont do it. The issue is that you can not properly tell where zone  
> delegation starts. I know resourceful programmers (including me)  
> keep track of this data and know that for example ".com" is one  
> delegation but ".uk" is not and there you have ".co.uk". But the  
> list is actually rather large and for several ccTLDs you have both  
> use ".com.??" and ".??" as proper delegation zones. So getting  
> around this is just way too tricky and if you don't what you end up  
> doing is sending multitude of extra queries to ccTLD name servers.  
> This is not proper operational approach as extra load would not be  
> spread but directed towards several single points on the net.

I would be happy to help co-author a draft that establishes a list of  
current domains levels used by registries which should be excluded  
from queries for DKIM related records.  The list therefore  
establishes the first and perhaps only location needing to be checked  
regarding email related policies.  A rather manageable domain list  
established by this document would eliminate a need to use any type  
of wildcard mechanism.   To avoid query overhead, new upper level  
domains should want to be added to this list as the need arises.  A  
wildcard mechanism is also something relatively easy to abuse.  As  
such, it is doubtful any wildcard scheme will gain acceptance within  
DNSEXT or DNSOPS WGs.

-Doug