[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Stephen Farrell stephen.farrell at cs.tcd.ie
Mon Apr 7 01:42:29 PDT 2008 


Eliot Lear wrote:
> Dave, Chairs,
> 
> Why isn't this a duplicate of Issue 1402 
> <https://rt.psg.com/Ticket/Display.html?id=1402>?  By my recollection, 
> this topic alone has been discussed at at least two - and possibly three 
> - working group meetings.  Please advise.

It does look similar. Dave - can you differentiate this
from 1402?

Stephen.


> 
> Eliot
> 
> 
> Dave Crocker wrote:
>> Folks,
>>
>> This issue encompasses some others, but I believe it is more basic and therefore 
>> informs the others and therefore needs to be resolved separately:
>>
>>     There is a basic difference between trying to protect a single domain name, 
>> versus trying to protect an entire sub-tree.
>>
>> 1.  The DNS was not designed with sub-tree operators.  The wildcard mechanism is 
>> a very narrowly-defined capability and is useless in the face of 
>> underscore-based naming, since the underscore node really defines an attribute 
>> of the domain name it is under, rather than defining a true "name".
>>
>>      What this leaves us with is attempting to invent mechanisms that turn out 
>> to do only a partial job, at best.
>>
>>
>> 2.  Some of the sub-tree effort is for administrative convenience.  Some is for 
>> expanded semantics.
>>
>>      It's not clear that the specification is clear about this distinction.
>>
>>      It is not clear that the specification is clear about the motivations that 
>> make it mandatory to add sub-tree mechanisms to the specification.
>>
>>
>> 3.  At least one of the sub-tree mechanisms is attempting to glean information 
>> from the absence of publisher action.  Let me explain:
>>
>>      I believe the desire with checking the A record is similar to the idea 
>> behind having ADSP in the first space.
>>
>>      That is:
>>
>>          a) DKIM is for declaring the presence of an accountable identity.  If a 
>> signature is present, you know something.  If it is absent, you know nothing extra.
>>
>>          b) ADSP attempts to tell you something, in the absence of a signature. 
>> It does that by defining something else that must be present.  If the ADSP 
>> record is present, you know something.  If it is absent, you know nothing extra.
>>
>>          c) Checking for the presence of an A record is intended to try tell you 
>> something in the absence of an explicit action by the domain owner.  That's it's 
>> flaw: It is intuiting ADSP information from non-ADSP action.
>>
>>      While there is nothing wrong with checking the A record, it's semantics 
>> have literally nothing (directly) to do with ADSP.
>>
>>
>> All of the above is of course implies some specific actions, but for this note, 
>> my real goal is to get much more explicit discussion and consensus about the 
>> difference between protecting a single domain name, versus protecting a tree of 
>> names, and to get consensus about each of these as separable goals.
>>
>> d/
>>   
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> NOTE WELL: This list operates according to 
> http://mipassoc.org/dkim/ietf-list-rules.html

More information about the ietf-dkim mailing list