[ietf-dkim] NEW ISSUE Re: requirement for one ADSP record per DNS entry makes ADSP undeployable

Steve Atkins steve at blighty.com
Tue May 27 08:54:45 PDT 2008 

On May 27, 2008, at 2:16 AM, Eliot Lear wrote:

> - sorry - subject line error on my part (that's the only change).
>
> Eliot Lear wrote:
>> In order for ADSP to be of use, it must be easily deployable by
>> enterprises and service providers.  Otherwise, there is no point in
>> bothering to check for answers.

Very few senders are going to care about or be able to use ADSP.

Those senders want as many receivers as possible to check ADSP.

So, in order for it to be successful, you need a small number of well
motivated senders to publish records (a one-time effort, along with
a little ongoing, easily automated, maintenance) and you need a
large number of much less motivated receivers to check ADSP on
every single one of hundreds of millions of inbound emails, and their
myriad MTA providers to implement efficient code to do so.

Given that, it's clear that for there to be any chance of successful
deployment is going to be dominated by the receivers. Simplifying
the job for the receiver as much as possible is a requirement for
getting that deployment.

If that means moving some of the pain, even a disproportionate
amount of pain, onto those few, well motivated senders then that's
a good tradeoff.

>> The absence of a parent label check
>> will mean that enterprises must list an ADSP record for each and  
>> every
>> DNS entry they have.  It is not unusual for enterprises to have  
>> tens of
>> thousands of DNS entries.

It's not unusual for them to have a deep DNS tree, either. A single
level tree walk will only benefit those enterprises who use shallow
DNS trees anyway.

>> The vast majority of enterprises make use of
>> provisioning systems that takes years to update and deploy.  ADSP
>> deployment is now dependent on those implementations.  Because of  
>> that
>> ADSP adoption can be expected to lag dramatically behind DKIM.  The
>> result will be that recipient sites will infer policy by the  
>> existence
>> of records and hence implicitly implement a strict test.
>>
>> Hence as things stand I expect ADSP to never be deployed,

I certainly don't expect it to be widely deployed by senders on  
arbitrary
existing domains. If there is widespread deployment I expect most
of it to be on customer-facing ecommerce and banking domains, not
existing enterprise domains. Really, cisco and similar corporations
are not particularly likely phishing targets.

>> and I request
>> active consideration of the provisioning systems in use.
>>

If a sender isn't prepared to do the one-time effort to publish some
DNS records, then ADSP clearly isn't important to them.

Cheers,
   Steve

More information about the ietf-dkim mailing list