[ietf-dkim] Re: Thoughts on latest SSP draft

Douglas Otis dotis at mail-abuse.org
Wed Sep 26 15:31:42 PDT 2007 

On Sep 22, 2007, at 6:38 PM, Frank Ellermann wrote:

> Douglas Otis wrote (2007-07-25 on the DKIM list):
>
>> At this point in time, it should be rather rare for incoming SMTP  
>> servers to depended upon a AAAA record for locating their servers.  
>> The DKIM WG should push to have A or AAAA record discovery  
>> deprecated.  Deprecating address record discovery techniques will  
>> eventually simplify where policy needs to be published.  At some  
>> point in the future, not publishing an MX record for the  
>> originating domain might cause a message to be rejected.
>
> Hi, scanning old messages I saw that you said this more than once  
> on the DKIM mailing list.  I'm also aware that Meng Weng Wong and  
> others proposed something in this direction on the SPF and MARID  
> list back in 2004.  It's also related to the expired "null-MX" I-D,  
> and because of that it might affect various "NOMAIL" solutions  
> (4408 "v=spf1 -all" and Phil's I-D.hallambaker-nomail).

Email policy solutions assume policy can be asserted for parent  
domains and all sub-domains.  This is done with DNS wildcard records,  
by walking some portion of the DNS tree, or checking for discovery  
records.  Any existing node within DNS prevents synthesis of a DNS  
wildcard policy record.  As such, either the domain tree must be  
walked, a policy record needs to be published at every existing node,  
or at every possible discovery record.  Publishing a policy record  
adjacent every existing node will be difficult to manage.  Walking  
even a small portion of the label tree might negatively impact SLD  
and TLDs.  The level of impact would depend upon consistency of the  
implementation of the negative caching of the missing address record  
transactions.  Some domains disable negative caching for faster  
transient error recovery.

> I'm not strictly against it, quite the contrary.  *But* AFAIK it's  
> not planned to remove the "A fallback" from 2821bis, in fact  
> 2821bis will augment all discussions of A records with AAAA for  
> IPv6 compatibility.

AAAA record discovery could be excluded in 2821bis and require the  
use of MX records.  One solution for resolving whether email policy  
might apply can then be validated by discovering an MX record.  At  
some point, even A records for discovery should be deprecated.  The  
presences of address records should not necessitate the publishing  
email policy.

> If you and others feel that the no-MX fallback should be limited to  
> IPv4 in 2821bis, as it arguably is in 2821, then please say so on  
> the SMTP list.  Fixing the SMTP spec. for IPv6-only senders is  
> something between tricky and impossible, and your proposal could  
> shift this task from impossible towards tricky.

The impact of the deprecation would not cause discovery to fail, as A  
records could still be used.  The impact would likely be felt when  
acceptance of a message fails due to the lack of an MX record.    
Systems sending diagnostic messages within an organization might be  
white-listed to alleviate the publishing of an MX record.  Often,  
these systems are not intended to communicate with some random set of  
domains.

-Doug

More information about the ietf-dkim mailing list