[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree
Wietse Venema
wietse at porcupine.org
Mon Apr 7 16:19:23 PDT 2008
Wietse Venema wrote:
> >a) DKIM is for declaring the presence of an accountable identity.
> >If a signature is present, you know something. If it is absent,
> >you know nothing extra.
> >
> >b) ADSP attempts to tell you something, in the absence of a
> >signature. It does that by defining something else that must be
> >present. If the ADSP record is present, you know something. If
> >it is absent, you know nothing extra.
> >
> >c) Checking for the presence of [any DNS] record is intended to try
> >tell you something in the absence of an explicit action by the
> >domain owner. That's it's flaw: It is intuiting ADSP information
> >from non-ADSP action.
>
> To clarify a perhaps overlooked point: the existence of [any DNS]
> record for the Originator domain does NOT imply that it is a valid
> email origin. If the record is absent, then we know nothing that
> the absence of the ADSP record for that domain didn't already tell
> us. Any suggestion to the contrary is probably a mistake.
Jim Fenton:
> ADSP is doing the converse of that: it takes the non-existence
> of [any DNS] record for the Author Domain as an implication that
> it is NOT a valid email origin, or more accurately reports if that
> is the reason there isn't an ADSP record for that domain.
The problem is that "valid email origin" is a subset of all the
names that resolve in the DNS. In other words, there are false
positives in the algorithm that continues when [any DNS] record
lookup succeeds.
Wietse
More information about the ietf-dkim
mailing list