[ietf-dkim] Issue 1535 - clarify need for domain existence check in the decision tree (step 2)

[Jim Fenton]

Steve Atkins wrote:
> On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote:
>
>   
>> Again, to repeat what I said at the mic:
>>
>> The current, 3-step procedure is certainly an improvement, however I  
>> do not
>> understand the need for the second step, in terms of ASP  
>> functionality.
>>
>> In any early discussion of this, I believe Jim said he thought it  
>> was a
>> carry-over from an earlier version of the spec where the need was  
>> more clear.
>>
>> In any event, I think the current question is:  What is it about ASP  
>> -- as
>> opposed to concerns outside of ASP's scope -- that requires checking  
>> for domain
>> existence?
>>     
>
> Without that check, an unsigned mail from foo at bar.baz.ebay.com will be  
> considered to comply with ASP unless there is an ASP record for  
> _asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com
>
> It's difficult to publish a wildcard ASP record with standard DNS  
> servers. So there is no easy way to publish an ASP assertion for "my  
> domain and all subdomains of it". It is only possible to publish an  
> ASP assertion for a finite list of hostnames.
>
> The domain existence check means that only a defined number of ASP  
> records need to be published (the number of hostnames you publish  
> would be an upper bound unless you're using wildcards anywhere else in  
> your DNS, in which case all bets are off).
>
> Removing the check removes the ability for a domain owner to make an  
> ASP assertion about all possible subdomains of that domain. It seems  
> within scope for ASP.
>   

Steve, thank you for refreshing my memory on this.  I would state it a 
little differently now since SSP doesn't really have a "comply", that an 
unsigned message from the domain bar.baz.ebay.com will be considered to 
have an "Unknown" ASP unless...

So yes, it is important that we keep this.

-Jim