[ietf-dkim] Issue 1535 - clarify need for domain existence check in the decision tree (step 2)
steve at blighty.com
Tue Mar 11 11:38:08 PDT 2008
On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:
> Again, to repeat what I said at the mic:
> The current, 3-step procedure is certainly an improvement, however I
> do not
> understand the need for the second step, in terms of ASP
> In any early discussion of this, I believe Jim said he thought it
> was a
> carry-over from an earlier version of the spec where the need was
> more clear.
> In any event, I think the current question is: What is it about ASP
> -- as
> opposed to concerns outside of ASP's scope -- that requires checking
> for domain
Without that check, an unsigned mail from foo at bar.baz.ebay.com will be
considered to comply with ASP unless there is an ASP record for
_asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
It's difficult to publish a wildcard ASP record with standard DNS
servers. So there is no easy way to publish an ASP assertion for "my
domain and all subdomains of it". It is only possible to publish an
ASP assertion for a finite list of hostnames.
The domain existence check means that only a defined number of ASP
records need to be published (the number of hostnames you publish
would be an upper bound unless you're using wildcards anywhere else in
your DNS, in which case all bets are off).
Removing the check removes the ability for a domain owner to make an
ASP assertion about all possible subdomains of that domain. It seems
within scope for ASP.
More information about the ietf-dkim