[ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce
DNS overhead for SSP Discovery and to detect fraudulent messages
wietse at porcupine.org
Tue Feb 12 07:23:01 PST 2008
> To better ensure the minimum number of DNS transactions occur while
> processing DNS SSP and key TXT records, especially for domains that do
> not implement email, the SSP draft should mandate publishing MX
> records whenever an SSP record is also published. Since the SSP
> discovery process makes use of MX record queries to determine whether
> the domain exists, then when an SSP record is returned for a domain
> that has not published an MX record, this thereby signals that both
> email and DKIM are NOT used for email addresses at this domain. This
> strategy affords a better cache hit rate during the SSP discovery
> process, the detection of fraudulent uses of the domain, and a means
> to protect second level domains.
Per the draft, an NXDOMAIN reply for an Author domain lookup already
terminates the SSP algorithm with "failure". This is good enough.
DKIM and SSP are not appropriate vehicles for making other records
mandatory where now they are not.
> When the SSP record is returned without there also being
> an MX record at the Author Domain, the signature SHOULD BE considered
> fraudulent without further DNS transactions being attempted.
I oppose the re-introduction of "suspicious", "fraudulent", etc.
Those are overly-specific interpretations of failures that will
more often than not have non-malicious causes.
More information about the ietf-dkim