fenton at cisco.com
Thu May 1 15:55:21 PDT 2008
Dave Crocker wrote:
> For example, let's say that a receiver chooses either not to do the
> NXDomain test or chooses to process the result differently than the
> document specificies.
> Exactly what terrible outcome does this produce?
It produces the outcome "unknown" for non-existent domains, that is
subject to misinterpretation.
It's more important when coupled with the parent domain check. If DKIM
has the parent domain check (the misleadingly named "tree walk" in
common parlance), referencing the parent domain's ADSP without checking
for the existence of either the parent or subdomain makes it impossible
to protect against the multilevel (a.b.c.d.e.example.com) attack.
More information about the ietf-dkim