[ietf-dkim] why we should clearly specify domain existence
dotis at mail-abuse.org
Mon May 26 17:31:51 PDT 2008
On May 26, 2008, at 3:09 AM, Wietse Venema wrote:
> Tony Finch:
>> We already have years of operational experience of validating
>> domain according to RFC 2821 section 5.
> You are seriously advocating that verifiers connect to an
> authoritative SMTP server for the author domain? I remind you that
> the mere existence of an A/AAAA/whatever record does not "validate"
> something as an author domain. It could be a device that does not
> even have an SMTP implementation.
This is the wrong concept. Receiving hosts may limit Author Domain
acceptance to email-addresses that are not invalidated by not having
SMTP discovery records. This requirement limits spoofing without
reliance on ADSP or DKIM having being implemented by the sender. (An
incentive.) The discovery record check should represent less overhead
than that needed to qualify the Author Domain with PTR records in the
reverse zone, largely due to the poor maintenance of this zone.
By ADSP making this recommendation, sending domains can obtain
comprehensive sub-domain protection by publishing ADSP records below
only the domains containing MX and A records. This approach
alleviates publishing ADSP records below _all_ domains, and
importantly also permits use of wildcard records by other protocols.
> I find it embarassing to see people keep assuming that the bad guys
> will play by the rules. In this case, people are assuming that the
> bad guys will use only those author domains that resolve to valid
> SMTP server implementations.
Is it not embarrassing to accept messages from Author Domains that
can't possibly resolve to a valid SMTP server? These are not rules
for bad-actors, these are recommendations for receiving hosts that
wish to reduce acceptance of messages being sent with spoofed email-
> DNS lookup alone cannot validate an author domain, so one might just
> as well use the least complicated mechanism. The SSP NXDOMAIN check
> is sufficient; the RFC 2821 section 5 MX/A/AAAA lookups create
> overhead without actual security benefit.
Once SMTP takes a rather small step and only ensures a public exchange
when an MX records is published, then the check would represent
significantly less overhead than any other scheme and would further
reduce the number of domains where an ADSP record would be needed.
An MX record mandate also offers protection for domains not
implementing SMTP, DKIM, from any number transactions often occurring
as a result of spoofed originating email-addresses. SMTP can't be
allowed to recommend the use of bogus MX records either. That
approach does not scale and would set a bad precedent. Until the MX
mandate occurs, at least the recommended process of first checking MX
records will detect a non-existent domain, and when used legitimately,
the algorithm will conclude with a request for an ADSP record.
Without the MX record mandate, a bad-actor may still induce requests
for A records.
More information about the ietf-dkim