[ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages

Tue Feb 12 10:36:41 PST 2008

On Feb 12, 2008, at 7:23 AM, Wietse Venema wrote:

> Douglas Otis:
>> To better ensure the minimum number of DNS transactions occur while  
>> processing DNS SSP and key TXT records, especially for domains that  
>> do not implement email, the SSP draft should mandate publishing MX  
>> records whenever an SSP record is also published.  Since the SSP  
>> discovery process makes use of MX record queries to determine  
>> whether the domain exists, then when an SSP record is returned for  
>> a domain that has not published an MX record, this thereby signals  
>> that both email and DKIM are NOT used for email addresses at this  
>> domain.  This strategy affords a better cache hit rate during the  
>> SSP discovery process, the detection of fraudulent uses of the  
>> domain, and a means to protect second level domains.
>
> -1.
>
> Per the draft, an NXDOMAIN reply for an Author domain lookup already  
> terminates the SSP algorithm with "failure". This is good enough.

Disagree.

> DKIM and SSP are not appropriate vehicles for making other records  
> mandatory where now they are not.

SSP already suggests querying MX records to facilitate discovery.  
(Even though an MX record does not need to be published.)  What  
prevents SSP making the publication of this record mandatory?  Is  
there any valid reason for a domain that implements DKIM not to also  
publish an MX record?  This record is _essential_ for truncating all  
sorts of policy discoveries that might become associated with the  
introduction of DKIM.

When a domain does exist, there is currently no means for the domain  
owner to truncate a policy discovery processes walking up to the next  
domain and then requesting any number of key records.  In addition,  
there is also no positive means for this domain owner to disavow  
messages inducing undesired policy and DKIM transactions to prevent  
these additional transactions.  Without this convention, there will be  
two or more transactions that this convention could prevent,  
significantly transactions at parent domains.  In addition, this  
convention also makes it explicit any message related to this domain  
has been disavowed by this convention.  Juice worth the squeezing.  : )

>> When the SSP record is returned without there also being an MX  
>> record at the Author Domain, the signature SHOULD BE considered  
>> fraudulent without further DNS transactions being attempted.
>
> _1.
>
> I oppose the re-introduction of "suspicious", "fraudulent", etc.  
> Those are overly-specific interpretations of failures that will more  
> often than not have non-malicious causes.

Agreed.  However, having an SSP record while not having an MX record  
seems like a rare failure mode.   Perhaps the message result could be  
called "disavowed" or "unsupported".  The important aspect of the  
definition is to avoid there being any implied message handling  
without knowing the reliability of this convention.

-Doug