[ietf-dkim] "I sign everything" != "No mail"

[Michael Thomas]

Hallam-Baker, Phillip wrote:
> Stephen has almost captured my issues here.
> 
> My point here is that since NOMAIL is not a MUST requirement we do not require the same level of design for deployment as for a feature that is a core requirement. In particular it is acceptable for us to specify a scheme which requires deployment of new DNS infrastructure for NOMAIL, this seems obvious to me as there are existing schemes which address this requirement.
> 
> I do want to solve NOMAIL, in fact I think that it is essential that we do so to close all possible avenues of attack, including the unsigned mail from nonexistent domain attack. However I am quite happy for expression of NOMAIL to require deployment of an XPTR capable DNS server.
> 
> I am proposing a scheme here which allows for a transition to a principled infrastructure in which NOMAIL like DKIM is supported as a first class entity. 
> 
> 
> All I don't want to do is to discuss the details of NOMAIL implementation at this point. If we get the structure right they take about half an hour.

It's an interesting tact to claim that you can solve the subdomain
attack by saying that the top level of a domain can be set to "I sign
everything" and all subdomains set to "No mail". However, they aren't
semantically equivalent and they most assuredly do not meet the actual
requirement that all subnodes be covered. I suggest we stop mudding the
waters here as it's not helpful.

		Mike