[ietf-dkim] Discussion of Consensuscheck: Domain Existence Check
Bill.Oxley at cox.com
Bill.Oxley at cox.com
Wed Jun 11 05:49:08 PDT 2008
"what do you want the Verifier to do? " anything he wants to with the understanding he has the equivalent of an unsigned message.
non-SMTP domain is the same as a non tcpip domain, no records associated with the protocol
Bill Oxley
Messaging Engineer
Cox Communications
404-847-6397
-----Original Message-----
From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Charles Lindsey
Sent: Wednesday, June 11, 2008 4:48 AM
To: DKIM
Subject: Re: [ietf-dkim] Discussion of Consensuscheck: Domain Existence Check
On Tue, 10 Jun 2008 18:34:57 +0100, Douglas Otis <dotis at mail-abuse.org>
wrote:
> On Jun 9, 2008, at 9:21 PM, Jim Fenton wrote:
>> Since it apparently isn't clear: I am proposing retaining the
>> NXDOMAIN domain validity check as a MUST. It is only the MX and A/
>> AAAA check that I'm proposing be changed from a SHOULD to a MAY.
>
> The situation created by MS Exchange creates a problem where just an
> NXDOMAIN check is still problematic. While NXDOMAIN might occur for
> any leaked X.400 address or typical "somebody at something.invalid",
> NXDOMAIN results might also occur with any proxy SMTP addresses
> assigned by MS Exchange. This occurs since MS Exchange assignments
> and routing do not depending upon DNS records. Such an NXDOMAIN test
> would disrupt messages created by the company where I work, for
> example. In addition, unless the test goes one step further to
> determine whether a domain appears to support SMTP, this would offer
> far less utility in preventing address spoofing. Nor could just an
> NXDOMAIN test offer protection for non-SMTP domains.
But you have repeatedly failed to explain how a verifier could recognise
and handle this case in a manner that did not leave a loophole for all the
scammers and spoofers to walk through. If some message arrives with a From
that includes a proxy SMTP address assigned by MS Exchange (which will
surely result in NXDOMAIN), what do you want the Verifier to do? Is there
some way that is can recognise this as a proxy address and let it through
whilst still rejecting things apparently from the domain funny.ebay.com?
If some companies using MS Exchange allow such messages to escape, then I
am afraid that is just Tough! It is a stupid behaviour. I might accept
that domains whose TLD clearly did not exist could be exempted from the
NXDOMAIN check in ADSP.
And what do you mean by a "non-SMTP domain. AKAIK the phrase is
meaningless.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
More information about the ietf-dkim
mailing list