Re: [apps-discuss] Comments on draft-sullivan-domain-policy-authority

[Andrew Sullivan <ajs@anvilwalrusden.com>]

Hi,

On Fri, Jul 19, 2013 at 11:48:29AM -0700, Murray S. Kucherawy wrote:

> One thing it doesn't mention is that it will require a SOPA record to be
> created at every extant node in the DNS tree for a domain that wishes to
> make use of it.  Unless I've misread something, the document does indicate
> that a node can indicate it is in the same policy realm as all of its
> descendants, but it also says this relationship needs to be confirmed to be
> believed.  That means all of the descendant nodes also have to have SOPA
> records pointing back to that parent node.  If I'm understanding that
> correctly, the document should probably call this out as a constraint as
> well.

In the inclusion case, yes.  

This is an unhappy consequence of my worry about certain security
implications of the relationship, but thinking about it after John
Levine made the same argument to me off-list I'm wondering whether we
just need to invent a new relation class that asserts "mail policy
apex", which can assert mail control over everything beneath it.  The
problem with this is the same security problem we have with just doing
inclusion without a corresponding inclusion record at the target.
However, as several people have argued, a parent has the ultimate
authority to redirect the name, so maybe the best way to handle this
is just contracts.

> APPSAWG/APPAREA agenda, if the authors of both drafts would be interested
> in talking to that audience about their ideas in Berlin.

I'm prepared to discuss this if others think it would be useful.

Best, 

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com