[ietf-dkim] Are subdomains like parent domains?

Steve Atkins steve at blighty.com
Tue Apr 29 11:19:41 PDT 2008 

On Apr 29, 2008, at 10:36 AM, Wietse Venema wrote:

> John Levine:
>>> I think I'm not the only one making assumptions here.
>>
>> Of course not.
>>
>> I'm honestly trying to figure out whether any mail systems treat mail
>> from sub.foo.com as being from foo.com when they make decisions about
>> sorting, filtering, and so forth.  That's why I'd really appreciate
>> some actual examples if there are any.  I'm not trying to be
>> confrontational here, I'm trying to gather data.
>>
>> As far as I can tell, nobody does, but the whole issue of the tree
>> walk is predicated on this assumption.  If the assumption is indeed
>> untrue, the treewalk (in any of its varieties) serves no purpose and
>> we can just get rid of it.
>
> We're trying to solve two different problems at the same time.
>
> Question 1: What do real DNS deployments look like? Seems no-one
>    can answer that here.  Everyone is concerned that ADSP introduces
>    unnecessary barriers for deployment, but discussions about
>    random real or fictitious pain symptoms are not the best way
>    to define a solution.
>
>    This is an argument to avoid ugly ad-hoc hacks like the two-level
>    DNS dance, because they lack a sound foundation.
>
> Question 2: What would the "bad guys" do to side-step DKIM/ADSP,
>    for some particular set of ADSP implementation details? I can
>    answer that with confidence. They will do everything that gets
>    their email through the filters. Unlike ADSP implementors,
>    spammers are not bound by the rules of the RFC.  Our lack of
>    imagination should not give us a false sense of security.
>
>    This is an argument to have some "safety net" mechanism like
>    the ugly two-level dance that automagically covers all nodes
>    at the same DNS level; nailing non-existent domains at lower
>    DNS levels is already trivial without ADSP.
>
> As fas a I'm concerned someone can toss the coin and be done with
> it. I'd rather have something that mostly works now, than something
> that will be perfect for one microsecond. No system can be perfect
> permanently with respect to constantly changing threats.

There's a third question too. Is ADSP supposed to stand on it's
own, or can it make assumptions about the rest of the filtering
system it's embedded in? If the latter, does it need to be explicit
about it?

Everyone is pretty clear that if mail is "From" a non-existent
domain, it's not likely to be delivered. As such, it's not unreasonable
to not worry about the nasty failure modes in an ADSP algorithm
if they are only triggered by a non-existent domain. But, does the
process of not worrying about it require that it be documented
within the ADSP spec?

None of that will make any difference to real world operational
use, if any, it's just spec wordsmithing.

Cheers,
   Steve

More information about the ietf-dkim mailing list