[ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages

Douglas Otis dotis at mail-abuse.org
Mon Feb 11 19:24:29 PST 2008 

To better ensure the minimum number of DNS transactions occur while  
processing DNS SSP and key TXT records, especially for domains that do  
not implement email, the SSP draft should mandate publishing MX  
records whenever an SSP record is also published.  Since the SSP  
discovery process makes use of MX record queries to determine whether  
the domain exists, then when an SSP record is returned for a domain  
that has not published an MX record, this thereby signals that both  
email and DKIM are NOT used for email addresses at this domain.  This  
strategy affords a better cache hit rate during the SSP discovery  
process, the detection of fraudulent uses of the domain, and a means  
to protect second level domains.


3.2.2. SSP Lookup Algorithm

4th & 6th Sentence Was:

For the purposes of this section a "valid SSP record" is one that is
both syntactically and semantically correct; in particular, it must
match the ABNF for a "tag-list" and must include a defined "dkim=" tag.

This query MAY be done in parallel with the query made in step 2.

If the result of this query is an "NXDOMAIN" error, the SSP Checker
MUST return an appropriate error to the Evaluator and terminate the
algorithm.

4th & 6th Sentence Change to:

For the purposes of this section a "valid SSP record" is one that is
both syntactically and semantically correct; in particular, it must
match the ABNF for a "tag-list", and MUST include a defined "dkim=" tag
and MUST be accompanied by an MX record at the Author Domain.

This query MAY be done in parallel with the query made in step 2.

If the result of this query is an "NXDOMAIN" error, the SSP Checker
MUST return an appropriate error to the Evaluator and terminate the
algorithm.  When the SSP record is returned without there also being
an MX record at the Author Domain, the signature SHOULD BE considered
fraudulent without further DNS transactions being attempted.

Item 2 Was:

2.  _Verify Domain Exists._ The SSP Checker MUST perform a DNS query
  for a record corresponding to the Author Domain (with no prefix).
  The type of the query can be of any type, since this step is only
  to determine if the domain itself exists in DNS.

Item 2 Change to:

2.  _Verify Domain Exists._ The SSP Checker MUST perform a DNS query
  for a record corresponding to the Author Domain (with no prefix).
  The type of the query SHOULD BE for an MX record.  This step can
  depend upon other record types as the response is only to determine
  whether the domain itself exists in DNS.

-Doug

More information about the ietf-dkim mailing list