[ietf-dkim] Another take on "all email from us is dkim signed"

[HLS]

On Wed, Mar 11, 2009 at 4:33 PM, Mark Delany
<markd+dkim at yahoo-inc.com<markd%2Bdkim at yahoo-inc.com>
> wrote:

> On Wed, Mar 11, 2009 at 3:33 PM, Steve Atkins <steve at wordtothewise.com>wrote:
>
>>
>> Did we already look at this idea and discard it before we settled on
>> using a DNS query for every email received?
>
>
> Discussed, not discarded.  AFAIR,  the general feeling is that Lookups are
> cheap today.
>
>
> Essentially such an approach is asking every MX target with more than one
> system to invent some way of distributing the knowledge it discovers on an
> inbound, signed message.
> You also have to invent mechanisms to deal with corner cases and timing
> windows, such as when one MX target receives a "we don't sign all anymore"
> and another MX target for the same domain almost immediately receives an
> unsigned email from that domain. Or what if you use your ISP as a secondary
> MX and the "state changing emails" happened to be queued up there for a
> while?
>
> I also don't see how it changes anything from a functional POV. If ADSP is
> carried in the signature vs carried in a DNS record, it would presumably
> invoke the same level of WG discussion over semantics and purpose.
>
> Given the highly cacheable nature of ADSP information and the fact that
> we're already querying the DNS for key information, it's unclear what the
> big benefit would be in moving this in-band.
>

Outside of DNS query related technical issues,  the first
operational repercussion is  the lost of handling legacy mail.   We need to
use an "standard anchor" something we know will always be there, which as it
is now, is the From: domain lookup.

-- 
hls
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mipassoc.org/pipermail/ietf-dkim/attachments/20090311/72c2326a/attachment.html