[ietf-dkim] protecting domains that don't exist
johnl at iecc.com
Tue Apr 15 23:12:06 PDT 2008
> Now, I have no idea what limits were placed on this capability by provisioning
> systems. What I do know is that several customers used this feature to create
> very large numbers of subdomains. (I know this because this particular usage
> exposed several bugs.)
> Another thing that's surprisingly common is for sites to have very large
> numbers of explicitly configured domains and subdomains - like on the order of
> tens of thousands.
Gee, some actual real life experience -- how refreshing!
Let's assume for the purposes of argument that such a site wants to use
DKIM and ADSP. Presumably there's some set of tools to manage the DNS for
the umpteen thousand subdomains.
Hypothesis A: They'll update the tools to create matching ADSP and perhaps
DKIM key records for the domains they use, so clients can just check the
ADSP for whatever domain is on the From: line.
Hypothesis B: The tools can't do it, they'll only be able to stick in a
few hand-crafted DKIM key and ADSP records for upper level domains, so
ADSP clients checking lower level subdomains will have to look around the
tree and find those records.
The current ADSP draft is written with an eye toward B, but it seems to me
that A is at least as likely. What does your experience suggest?
More information about the ietf-dkim