[ietf-dkim] protecting domains that don't exist

[Jim Fenton]

Douglas Otis wrote:
>
> On Apr 25, 2008, at 4:21 PM, Jim Fenton wrote:
>
>> The requirement to publish large numbers of ADSP records is a barrier 
>> to its widespread adoption, at least its adoption in a way that 
>> provides broad coverage for domains.  This can be addressed with 
>> tools, but the requirement to add tooling to achieve good ADSP 
>> coverage is also a deployment barrier.  Similar concerns led the WG 
>> to the use of TXT records rather than a new RR.  There are a lot of 
>> DNS management tools out there that would need to change in order to 
>> publish the necessary ADSP records, and this would take considerable 
>> time.
>
> Publishing ADSP records in conjunction with SMTP discovery records 
> should not be described as "large" numbers.  This would have a direct 
> correspondence with records already published.  Lack of NXDOMAIN as 
> component of ADSP validation is wholly unmanageable and can easily 
> explode into large number.

We're not really talking about the use of NXDOMAIN in this part of the 
thread, although I'm not surprised if you're confused because we have 
(again) forgotten to change the subject line when we have changed topics.

>
> Why not depend upon discovery records?  How many public message 
> exchange protocols beyond SMTP will use ADSP records?  Who even 
> expects widespread adoption of ADSP?  Why would it be difficult to 
> provide ADSP coverage predicated upon the existence of SMTP discovery 
> records?  The lack of MX records should also preclude the use of ADSP.

Discovery records for SMTP are both MX and A, and that isn't changing.  
My point is that there are far too many A records in many domains for it 
to be practical to publish an ADSP record to go with each one, lacking 
tools to do so.  And a requirement to deploy new DNS tools will hinder 
coverage greatly.

-Jim