[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot Lear lear at cisco.com
Mon Apr 7 00:06:36 PDT 2008 

Dave, Chairs,

Why isn't this a duplicate of Issue 1402 
<https://rt.psg.com/Ticket/Display.html?id=1402>?  By my recollection, 
this topic alone has been discussed at at least two - and possibly three 
- working group meetings.  Please advise.

Eliot


Dave Crocker wrote:
> Folks,
>
> This issue encompasses some others, but I believe it is more basic and therefore 
> informs the others and therefore needs to be resolved separately:
>
>     There is a basic difference between trying to protect a single domain name, 
> versus trying to protect an entire sub-tree.
>
> 1.  The DNS was not designed with sub-tree operators.  The wildcard mechanism is 
> a very narrowly-defined capability and is useless in the face of 
> underscore-based naming, since the underscore node really defines an attribute 
> of the domain name it is under, rather than defining a true "name".
>
>      What this leaves us with is attempting to invent mechanisms that turn out 
> to do only a partial job, at best.
>
>
> 2.  Some of the sub-tree effort is for administrative convenience.  Some is for 
> expanded semantics.
>
>      It's not clear that the specification is clear about this distinction.
>
>      It is not clear that the specification is clear about the motivations that 
> make it mandatory to add sub-tree mechanisms to the specification.
>
>
> 3.  At least one of the sub-tree mechanisms is attempting to glean information 
> from the absence of publisher action.  Let me explain:
>
>      I believe the desire with checking the A record is similar to the idea 
> behind having ADSP in the first space.
>
>      That is:
>
>          a) DKIM is for declaring the presence of an accountable identity.  If a 
> signature is present, you know something.  If it is absent, you know nothing extra.
>
>          b) ADSP attempts to tell you something, in the absence of a signature. 
> It does that by defining something else that must be present.  If the ADSP 
> record is present, you know something.  If it is absent, you know nothing extra.
>
>          c) Checking for the presence of an A record is intended to try tell you 
> something in the absence of an explicit action by the domain owner.  That's it's 
> flaw: It is intuiting ADSP information from non-ADSP action.
>
>      While there is nothing wrong with checking the A record, it's semantics 
> have literally nothing (directly) to do with ADSP.
>
>
> All of the above is of course implies some specific actions, but for this note, 
> my real goal is to get much more explicit discussion and consensus about the 
> difference between protecting a single domain name, versus protecting a tree of 
> names, and to get consensus about each of these as separable goals.
>
> d/
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mipassoc.org/pipermail/ietf-dkim/attachments/20080407/50694785/attachment.html

More information about the ietf-dkim mailing list