[ietf-dkim] I think we can punt the hard stuff as out of scope.
pbaker at verisign.com
Tue Jun 5 10:19:27 PDT 2007
> From: Michael Thomas [mailto:mike at mtcc.com]
> > NOMAIL is out of scope, but wildcard is in scope.
> > The relevance here is that it looks like we can get 95% or
> better coverage of the real use cases here by acknowledging
> that wildcards are primarily an issue for NOMAIL.
> It is? If I sign everything for my domain, I'd like to be
> able to say that for both the top level domain, and all of
> the subdomains too, right?
Why would you be signing a subdomain that does not have an A record?
Come to that how does your understanding of DKIM policy work for a node that has no A record, no MX record and no related key records? If you have a policy 'I sign all mail' what restrictions do you impose on the key records?
I think that the corner cases for wildcarding seem to be falling into the category of support for NOMAIL and thus out of scope.
We already know how to wildcard NOMAIL. If we find that only 5% of domains actually need to wildcard a DKIM policy for domains that do not exist then we simply direct people to the existing solutions for declaring NOMAIL (MXdot, SenderID/SPF) that work with wildcard.
At that point we can solve 95% of all problems today with no infrastructure changes with the TXT/XPTR/TXT search, and the coverage will reach 100% in the future as infrastructure is upgraded.
We don't need to propose any thrashing about the DNS tree of the type that rightly upsets DNS folk. We set a clean precedent for the future. We get the benefit of an improved admin model. We build out infrastructure that is DNSSEC friendly.
More information about the ietf-dkim