Re: [ietf-dkim] New issue: DNS Record type for SSP
Scott Kitterman <ietf-dkim@kitterman.com> Tue, 17 April 2007 06:47 UTC
Return-path: <ietf-dkim-bounces@mipassoc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HdhTg-0008Ro-U6 for ietf-dkim-archive@lists.ietf.org; Tue, 17 Apr 2007 02:47:48 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HdhTf-00063S-8q for ietf-dkim-archive@lists.ietf.org; Tue, 17 Apr 2007 02:47:48 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l3H6kgVZ006426; Mon, 16 Apr 2007 23:46:43 -0700
Received: from mailout00.controlledmail.com (mailout00.controlledmail.com [72.81.252.19]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l3H6kWw6006368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-dkim@mipassoc.org>; Mon, 16 Apr 2007 23:46:33 -0700
Received: from mailout00.controlledmail.com (localhost [127.0.0.1]) by mailout00.controlledmail.com (Postfix) with ESMTP id 28EEF5CC132 for <ietf-dkim@mipassoc.org>; Tue, 17 Apr 2007 06:46:33 +0000 (UTC)
Received: from [192.168.111.102] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by mailout00.controlledmail.com (Postfix) with ESMTP id 193E35CC0FB for <ietf-dkim@mipassoc.org>; Tue, 17 Apr 2007 06:46:33 +0000 (UTC)
From: Scott Kitterman <ietf-dkim@kitterman.com>
To: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] New issue: DNS Record type for SSP
Date: Tue, 17 Apr 2007 02:46:30 -0400
User-Agent: KMail/1.9.5
References: <46241815.3080607@cisco.com>
In-Reply-To: <46241815.3080607@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200704170246.30816.ietf-dkim@kitterman.com>
X-AV-Checked: ClamAV using ClamSMTP
X-Songbird: Clean, Clean
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
On Monday 16 April 2007 20:43, Jim Fenton wrote: > There have been many discussions regarding the choice of DNS record type > for SSP. draft-allman-dkim-ssp proposes the use of a new RR type for > SSP records; another choice is to use TXT records with a distinct (and > likely IANA-registered) prefix. > > Phill Hallam-Baker has proposed that DKIM policy be queried in two > different ways, in parallel: (1) Prefixed query for TXT record, e.g., > _dkimpolicy.example.com and (2) Non-prefixed query for a new RR, either > an XPTR or a new RR containing DKIM policy directly (depending on what > we decide about the XPTR proposal). The second query allows the client > to determine that the domain doesn't exist if it receives an NXDOMAIN > error. > > Argument Pro: Allows DKIM policy to work in the absence of support for > new RRs. > > Argument Con: Twice as many queries. Depending on where it is assumed > that DNS will not support new RR types, it may never be possible to > remove support for the TXT query. If the problem supporting new RRs is > only with DNS publication, clients will always need to make both kinds > of queries, although at some point it may be possible to make the > queries sequential, and only making the TXT query if the query for the > new RR returns a NODATA response. If the problem supporting new RRs is > only with DNS resolvers, it may never be possible to remove TXT records > and double-publication will always be needed. > > My opinion: Basically "Argument Con" from above (I wrote it, after > all...). Allowing the query to make use of an NXDOMAIN response (which > means there can't be a prefix) I believe to be a useful optimization > especially in the presence of messages from non-existent domains or > subdomains; we want to handle this case efficiently because it is a > likely attack vector. If the protocol is supportable through use of prefixed TXT records, you'll never move off of it. Give up and don't bother defining the new RR type. It's twice as many queries for no gain. We are near the 2nd aniversary of the SPF record type and it still has almost zero deployment. I tend to think along the lines of make TXT work. It's all you've got for near term deployment. If we can wait 5 years for SSP, why bother to expend the resources to design it at all. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] New issue: DNS Record type for SSP Jim Fenton
- Re: [ietf-dkim] New issue: DNS Record type for SSP Scott Kitterman
- Re: [ietf-dkim] New issue: DNS Record type for SSP John Levine
- Re: [ietf-dkim] New issue: DNS Record type for SSP Scott Kitterman
- Re: [ietf-dkim] New issue: DNS Record type for SSP John Levine