[ietf-dkim] Issue 1535 - clarify need for domain existence check in the decision tree (step 2)
fenton at cisco.com
Wed Mar 12 08:15:06 PDT 2008
Steve Atkins wrote:
> On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:
>> Again, to repeat what I said at the mic:
>> The current, 3-step procedure is certainly an improvement, however I
>> do not
>> understand the need for the second step, in terms of ASP
>> In any early discussion of this, I believe Jim said he thought it
>> was a
>> carry-over from an earlier version of the spec where the need was
>> more clear.
>> In any event, I think the current question is: What is it about ASP
>> -- as
>> opposed to concerns outside of ASP's scope -- that requires checking
>> for domain
> Without that check, an unsigned mail from foo at bar.baz.ebay.com will be
> considered to comply with ASP unless there is an ASP record for
> _asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
> It's difficult to publish a wildcard ASP record with standard DNS
> servers. So there is no easy way to publish an ASP assertion for "my
> domain and all subdomains of it". It is only possible to publish an
> ASP assertion for a finite list of hostnames.
> The domain existence check means that only a defined number of ASP
> records need to be published (the number of hostnames you publish
> would be an upper bound unless you're using wildcards anywhere else in
> your DNS, in which case all bets are off).
> Removing the check removes the ability for a domain owner to make an
> ASP assertion about all possible subdomains of that domain. It seems
> within scope for ASP.
Steve, thank you for refreshing my memory on this. I would state it a
little differently now since SSP doesn't really have a "comply", that an
unsigned message from the domain bar.baz.ebay.com will be considered to
have an "Unknown" ASP unless...
So yes, it is important that we keep this.
More information about the ietf-dkim