[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

[Jim Fenton]

Siegel, Ellen wrote:
>
> Jim, in your presentation to the ESPC you brought up the fact that one
> reason to encourage sub-domains to publish 'unknown' ADSP records was so
> that they wouldn't inadvertently inherit an ADSP record from a parent
> domain. 
>
> As long as such inheritance is possible, i.e. that a subdomain can
> automatically inherit from a parent domain, it must be true that we're
> discussing subtrees. 
>   

There is an important difference.  The subtree of example.com includes 
everything ending in .example.com such as a.example.com, b.example.com, 
and even f.e.d.c.b.a.example.com.  ADSP does not cover the subtree; it 
covers only labels in the immediate example.com domain.

> If we retain that capability, inadvertent or not, in the spec, I think
> we need to call it out explicitly and discuss how to counter it. 
>   

There are two ways to counter that capability:  either the subdomain 
publishes an ADSP record, or the parent domain publishes its ADSP record 
with the t=s flag as described in section 4.2.1 (or, conceivably, 
both).  Another possibility, I suppose, is to apply an Author Signature 
to the message which makes ADSP irrelevant as long as it isn't broken.

> However, I agree with Dave that it may be cleaner to just exclude the
> possibility of inheritance rather than try to deal with the fallout. 
>  
>   

It's not cleaner for a domain that wishes to publish ADSP and has 
thousands of hostnames in the same domain now faces the prospect of 
publishing thousands of ADSP records, and doesn't have tools to automate 
this process.

My comment at ESPC was that I believe it would be a Best Practice for 
Coalition members to routinely publish, or have published, explicit ADSP 
records for domains that they send from.

-Jim