[ietf-dkim] protecting domains that don't exist

Jim Fenton fenton at cisco.com
Fri Apr 11 14:29:08 PDT 2008 

John Levine wrote:
>
> The only way to cover an entire zone with ADSP is to create an ADSP
> tree parallel to all of the names in the zone, i.e. for every
> foo.bar.example.com put in a _adsp._domainkey.foo.bar.example.com.  If
> the existing tree has any wildcards, you can't do it.  The current
> version of ADSP has a one level tree walk that modestly decreases the
> number of records you have to add, in exchange for making every ADSP
> lookup more complicated.
>   

Exactly.  That's the tradeoff we have to evaluate:  making it easier to 
publish a complete set of ADSP records vs. the complexity of the 
lookup.  The complexity of the lookup is something done by the ADSP 
implementation; an individual verifier implementing ADSP doesn't need to 
do anything special.  Whether the decrease in the number of records you 
have is modest or not depends a lot on your domain:  If you have a small 
domain, it's very modest.  But some domains have tens or hundreds of 
thousands of labels such as hostnames, and the prospect of publishing an 
ADSP record for each one is non-trivial.  These records also cache 
individually, so it might be interesting if someone spoofs a large 
number of hostnames within a domain, such as a DHCP address pool.

My opinion, of course, is that referencing the parent domain is the 
better choice than publishing the extra records.

> The question that I haven't seen addressed directly is why it's so
> important to provide ADSP for domains that don't exist.  Doing a DNS
> lookup to see if the domain in a putative sending address exists has
> been a useful anti-spam trick for a long time, far predating DKIM.
> Mail filters often do that even though they don't check DKIM and don't
> check ADSP.  So what's the point of importing it into ADSP?
>   

As someone pointed out, you can interchange steps 1 and 2 in the 
specification, putting the existence check first.  And then, of course, 
you can decide that the existence check is done outside ADSP.  If the 
existence check is removed, I would advocate putting in language that 
says an existence check SHOULD be performed before doing ADSP.  Perhaps 
even a MUST, in order to make sure that a lot of unnecessary references 
to the parent aren'done.  The existence check should be shown in the 
overview document as well (and isn't currently).  I don't think that 
having the existence check in the spec is harmful, because many 
developers are going to note that they have already done one, and skip 
it, and caching will take care of those that don't remove the duplication.

-Jim

More information about the ietf-dkim mailing list