[ietf-dkim] New issue: DNS Record type for SSP
Jim Fenton <fenton@cisco.com> Tue, 17 April 2007 06:34 UTC
Return-path: <ietf-dkim-bounces@mipassoc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HdhGv-0000z6-TU for ietf-dkim-archive@lists.ietf.org; Tue, 17 Apr 2007 02:34:37 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HdhGv-00035a-Ep for ietf-dkim-archive@lists.ietf.org; Tue, 17 Apr 2007 02:34:37 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l3H6WsX6004183; Mon, 16 Apr 2007 23:32:54 -0700
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l3H6OtIe002720 for <ietf-dkim@mipassoc.org>; Mon, 16 Apr 2007 23:24:58 -0700
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 16 Apr 2007 23:24:49 -0700
X-IronPort-AV: i="4.14,417,1170662400"; d="scan'208"; a="136680366:sNHT53767053"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l3H6OmwG012980 for <ietf-dkim@mipassoc.org>; Mon, 16 Apr 2007 23:24:48 -0700
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l3H6OjMJ027454 for <ietf-dkim@mipassoc.org>; Tue, 17 Apr 2007 06:24:48 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Apr 2007 02:24:45 -0400
Received: from [10.71.2.62] ([10.86.242.136]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Apr 2007 02:24:45 -0400
Message-ID: <46241815.3080607@cisco.com>
Date: Mon, 16 Apr 2007 17:43:01 -0700
From: Jim Fenton <fenton@cisco.com>
User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221)
MIME-Version: 1.0
To: "ietf-dkim@mipassoc.org" <ietf-dkim@mipassoc.org>
X-Enigmail-Version: 0.94.3.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 17 Apr 2007 06:24:45.0424 (UTC) FILETIME=[1775A700:01C780B9]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1778; t=1176791088; x=1177655088; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fenton@cisco.com; z=From:=20Jim=20Fenton=20<fenton@cisco.com> |Subject:=20New=20issue=3A=20=20DNS=20Record=20type=20for=20SSP |Sender:=20; bh=XFpngEKHU7Uh8P9GlrXtmLpzSs4TTKgLfT94HcKsU9Q=; b=XX7vuAKqZca75fZwd8fXjImkJ03rUVc6o6WFluulBvOvoGVbnG+YWUMwxEa8qw+iJ69uZG4+ lWEVwgwK5QhXJlrQIC08RhWb1TCaiN6fOYOlP8lmKb2J0IsfapzoGpCfI4zXON7557Mj4oFWqR mYQ0dCmrwIBjw7NEGhI8K5jCs=;
Authentication-Results: sj-dkim-1; header.From=fenton@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Songbird: Clean, Clean
Subject: [ietf-dkim] New issue: DNS Record type for SSP
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
There have been many discussions regarding the choice of DNS record type for SSP. draft-allman-dkim-ssp proposes the use of a new RR type for SSP records; another choice is to use TXT records with a distinct (and likely IANA-registered) prefix. Phill Hallam-Baker has proposed that DKIM policy be queried in two different ways, in parallel: (1) Prefixed query for TXT record, e.g., _dkimpolicy.example.com and (2) Non-prefixed query for a new RR, either an XPTR or a new RR containing DKIM policy directly (depending on what we decide about the XPTR proposal). The second query allows the client to determine that the domain doesn't exist if it receives an NXDOMAIN error. Argument Pro: Allows DKIM policy to work in the absence of support for new RRs. Argument Con: Twice as many queries. Depending on where it is assumed that DNS will not support new RR types, it may never be possible to remove support for the TXT query. If the problem supporting new RRs is only with DNS publication, clients will always need to make both kinds of queries, although at some point it may be possible to make the queries sequential, and only making the TXT query if the query for the new RR returns a NODATA response. If the problem supporting new RRs is only with DNS resolvers, it may never be possible to remove TXT records and double-publication will always be needed. My opinion: Basically "Argument Con" from above (I wrote it, after all...). Allowing the query to make use of an NXDOMAIN response (which means there can't be a prefix) I believe to be a useful optimization especially in the presence of messages from non-existent domains or subdomains; we want to handle this case efficiently because it is a likely attack vector. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] New issue: DNS Record type for SSP Jim Fenton
- Re: [ietf-dkim] New issue: DNS Record type for SSP Scott Kitterman
- Re: [ietf-dkim] New issue: DNS Record type for SSP John Levine
- Re: [ietf-dkim] New issue: DNS Record type for SSP Scott Kitterman
- Re: [ietf-dkim] New issue: DNS Record type for SSP John Levine