[ietf-dkim] Issue #1541 - Do we need SSP record for DKIM=unknown?

Hector Santos hsantos at santronics.com
Thu Jan 3 00:06:17 PST 2008 

I just got an automatic note from issue tracker that 1541 was added.

I would like the summarize the issue:

Initially the issue proposed to reduce the current SSP tag options:

     DKIM=strict|all|unknown

to just

     DKIM=strict|all.

The basic idea was that since DKIM-BASE already has an inherent 
"unknown" or optional signing behavior, it would be redundant and a 
waste of DNS lookups if domains added SSP records with default values 
which is the same as having no SSP record at all.  The idea was to make 
SSP specifically useful only for restrictive DKIM signing operations, 
less complex, less options and therefore less exploitable.

However, Jim Fenton indicated that having a SSP record in all cases, 
including with default values, would benefit the network DNS TTL and 
caching issues as oppose to verifiers getting NXDOMAIN results.

So even if the DOMAIN has no specific intentions of utilizing the 
benefits SSP policies like strict or all, it would benefit the network 
when the DKIM domain adds a SSP record even if the default behavior is 
that of "unknown" policy.

So probably this ISSUE #1541 is more a question if:

    Should we explicitly state in the SSP specification that
    DKIM-BASE [is highly recommended and] will benefit the DNS
    network by adding a SSP record even when the DOMAIN has no
    intention to use strict or all policies?

Jim established that having a SSP record will benefit SSP compliant 
verifiers. However, he also indicated that this might be more of a 
deployment consideration.

That might be so, however, there is no current deployment guide with SSP 
considerations. So unless that changes, in my view,  I think it will 
benefit all DKIM/SSP implementators if the SSP specifications includes 
the recommendation of adding a SSP record regardless of default behavior.

In addition,  since section 7 Operation Overview, states:

    Verifiers checking messages that do not have at least one valid
    Originator Signature MUST perform a Sender Signing Practices check on
    the domain specified by the Originator Address as described in
    Section 4.4.

It is more likely than not that verifiers will bare a significant 
overhead here when the majority of messages do not have signatures and 
it MUST perform a SSP discovery lookup.  Therefore, DKIM signers SHOULD 
create a SSP record to help establish their signing policy and not leave 
it in an indeterminate and DNS wasteful state.

-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list