[ietf-dkim] Re: ISSUE 1547: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages

Douglas Otis dotis at mail-abuse.org
Wed Feb 13 12:48:22 PST 2008 

On Feb 13, 2008, at 10:52 AM, Jim Fenton wrote:

> Douglas Otis wrote:
>>
>> On Feb 12, 2008, at 7:53 AM, Frank Ellermann wrote:
>>
>>> Douglas Otis wrote:
>>>
>>>> the SSP draft should mandate publishing MX records whenever an  
>>>> SSP record is also published.
>>>
>>> -1
>>>
>>> SSP (or ASP) have no business to "mandate" MX records, that's not  
>>> their job.  MX records are not required for (2)821(bis)  
>>> interoperability, and RFC 2119 has a very clear policy about  
>>> arbitrary MUSTard.
>>
>> The MUST only occurs in conjunction with publishing SSP records.   
>> This does not mandate publishing of MX records when SSP is not used.
>
> -1 to this proposal, for the reasons that Wietse and Frank have  
> mentioned.  Furthermore, if the domain publishes an SSP record, the  
> SSP lookup algorithm never gets to the step that might benefit from  
> the publication of an MX record.

Jim,

There appears to be confusion regarding the impact of this  
requirement.  A requirement to publish an MX record when also  
publishing SMTP policy does _not_ impact RFC 2821, which had been the  
basis for these objections.  When the concern is that DKIM Signing  
policy records apply to other types of message traffic, then  
_different_ policy records must be published for each of the different  
protocols or a scope parameter is needed.  There should be a general  
stipulation that the scope of _asp, _ssp, _adsp, or whatever it is  
called is limited to SMTP.  When the policy affects other types of  
message traffic, such as IM or UUDP, the policy records MUST BE  
specifically defined for the type of traffic covered by the policy.

Email policy discovery _will_ impact domains being forged in  
fraudulent email.  These domains may not be either sending or  
accepting SMTP traffic as well.  By establishing a convention that  
SMTP/DKIM policy is only valid in conjunction with a published MX  
record does not change how SMTP or any other message handling protocol  
operates.  This requirement only affects the publishing of SMTP  
related policy.

It is rather unlikely there will be only one policy implemented for  
SMTP, NNTP, UUCP, etc.  In addition, policy discovery adds to the DNS  
burden caused by an undefined number of subsequent key look-ups,  
existence tests, and tree walking for policy.  There may be any number  
of signatures within different sub-domains contained within a  
message.  The MX record mandate, in the case of SMTP policy, provides  
a means to truncate subsequent SMTP transactions to both protect the  
domain and to disavow any related traffic purportedly covered by policy.

-Doug

More information about the ietf-dkim mailing list