[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Jim Fenton fenton at cisco.com
Mon Apr 7 16:49:04 PDT 2008 

Wietse Venema wrote:
> Wietse Venema wrote:
>   
>>> a) DKIM is for declaring the presence of an accountable identity.
>>> If a signature is present, you know something.  If it is absent,
>>> you know nothing extra.
>>>
>>> b) ADSP attempts to tell you something, in the absence of a
>>> signature.  It does that by defining something else that must be
>>> present.  If the ADSP record is present, you know something.  If
>>> it is absent, you know nothing extra.
>>>
>>> c) Checking for the presence of [any DNS] record is intended to try
>>> tell you something in the absence of an explicit action by the
>>> domain owner.  That's it's flaw: It is intuiting ADSP information
>>>       
>> >from non-ADSP action.
>>  
>> To clarify a perhaps overlooked point: the existence of [any DNS]
>> record for the Originator domain does NOT imply that it is a valid
>> email origin.  If the record is absent, then we know nothing that
>> the absence of the ADSP record for that domain didn't already tell
>> us. Any suggestion to the contrary is probably a mistake.
>>     
>
> Jim Fenton:
>   
>> ADSP is doing the converse of that: it takes the non-existence
>> of [any DNS] record for the Author Domain as an implication that
>> it is NOT a valid email origin, or more accurately reports if that
>> is the reason there isn't an ADSP record for that domain.
>>     
>
> The problem is that "valid email origin" is a subset of all the
> names that resolve in the DNS. In other words, there are false
> positives in the algorithm that continues when [any DNS] record
> lookup succeeds.
>   

That's true; that's why the result from ADSP in this case is, or should 
be, "Unknown".  But I don't see that in the spec; it simply indicates 
that no ADSP record was present, and the spec isn't giving enough 
guidance about what to do in that case.  In ssp-01, it had said 
"non-suspicious" in this case, and apparently this got lost when 
suspiciousness was removed.

Thanks for spotting that.

-Jim

More information about the ietf-dkim mailing list