[ietf-dkim] protecting domains that don't exist
Jim Fenton
fenton at cisco.com
Thu Apr 24 09:38:55 PDT 2008
Wietse Venema wrote:
> Wietse Venema wrote:
>
>> Frank Ellermann:
>>
>>> <robert at barclayfamily.com> wrote:
>>>
>>>
>>>> Would it be better if "error" were a specifically defined
>>>> result in addition to "unknown" / "all" / "discardable"?
>>>>
>>> The fourth bullet in chapter 3.2 "ASP results" offers "the
>>> domain does not exist" after "unknown"/"all"/"discardable".
>>>
>>> I-D.kucherawy-sender-auth-header chapter 2.4.2 "ASP results"
>>> lists this as "nxdomain". IMHO good enough, or do you have
>>> something else in mind ? Let's s/ASP/ADSP/g + WGLC, s.v.p.
>>>
>> Sounds reasonable. I expect many will implement NXDOMAIN as a
>> fourth ADSP lookup result in some way or another.
>>
>> This explains more easily than my earlier claim (an NXDOMAIN result
>> cannot correspond with one of "unknown" / "all" / "discardable").
>>
>
> Dave Crocker:
>
>> Sorry for being confused, but I now can't tell whether the focus
>> is on an NXDomain for the _adsp.<domain> string that is queried
>> for ADSP, or the <domain> name to which it is associated.
>>
>
> I am talking about DNS lookup #2 in ADSP: the author domain.
>
> _adsp.domainkey.example.com IN TXT (NXDOMAIN -> "unknown").
> example.com A IN (NXDOMAIN -> "nxdomain").
>
> By including "nxdomain" as a verifier result we can eliminate
> a confusion and frustration.
>
That's the fourth result in section 3.2 of ssp-03, "The domain does not
exist". So we already have it. Perhaps it's not clear enough that the
"appropriate error" referred to in step 2 of section 4.2.2 is that
particular result.
-Jim
More information about the ietf-dkim
mailing list