[ietf-dkim] protecting domains that don't exist
Wietse Venema
wietse at porcupine.org
Mon Apr 14 06:53:28 PDT 2008
John Levine:
> > As someone pointed out, you can interchange steps 1 and 2 in the
> > specification, putting the existence check first. And then, of course, you
> > can decide that the existence check is done outside ADSP. If the existence
> > check is removed, I would advocate putting in language that says an existence
> > check SHOULD be performed before doing ADSP.
>
> That seems reasonable. My objection (and I think also Dave's) is not that
> it's a bad idea, but that it's not part of DKIM or ADSP.
+1
It's unfortunate that DNS won't let us specify ADSP policies that
cover only non-existent originator domain names, but wishing for
such an ability does not mean that we suddenly can.
The NXDOMAIN result for the originator domain cannot(*) correspond
with an ADSP policy (one of "unknown" / "all" / "discardable"),
and therefore it cannot be part of ADSP.
Wietse
(*) Otherwise we could declare 99.9999% ADSP deployment today.
More information about the ietf-dkim
mailing list