IETF Logo Mail Archive

RE: [ietf-dkim] SSP issues

"Hallam-Baker, Phillip" <pbaker@verisign.com> Thu, 31 May 2007 11:06 UTC

Return-path: <ietf-dkim-bounces@mipassoc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HtiTx-0008M3-IV for ietf-dkim-archive@lists.ietf.org; Thu, 31 May 2007 07:06:17 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HtiTt-0006yQ-Mq for ietf-dkim-archive@lists.ietf.org; Thu, 31 May 2007 07:06:17 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l4VB5Ik0019580; Thu, 31 May 2007 04:05:24 -0700
Received: from robin.verisign.com (robin.verisign.com [65.205.251.75]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id l4VB50V1019510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-dkim@mipassoc.org>; Thu, 31 May 2007 04:05:00 -0700
Received: from MOU1WNEXCN03.vcorp.ad.vrsn.com (mailer6.verisign.com [65.205.251.33]) by robin.verisign.com (8.13.6/8.13.4) with ESMTP id l4VB53De029161; Thu, 31 May 2007 04:05:03 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 31 May 2007 04:05:03 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: [ietf-dkim] SSP issues
Date: Thu, 31 May 2007 04:04:01 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37012A5BFE@MOU1WNEXMB04.vcorp.ad.vrsn.com>
In-Reply-To: <465DF93D.1080306@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [ietf-dkim] SSP issues
Thread-Index: AcejCkF5+DN8uPtmT5iT6CDUL/52OgAZjV1Q
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Jim Fenton <fenton@cisco.com>, IETF DKIM WG <ietf-dkim@mipassoc.org>
X-OriginalArrivalTime: 31 May 2007 11:05:03.0601 (UTC) FILETIME=[8A0CCE10:01C7A373]
X-Songbird: Clean, Clean
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by sb7.songbird.com id l4VB50V1019510
Cc:
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be

> [mailto:ietf-dkim-bounces@mipassoc.org] On Behalf Of Jim Fenton

> What we had hoped to do in the next revision of the 
> allman-ssp draft was to unify it as much as possible with 
> Phill Hallam-Baker's draft.  I opened three new issues on 
> April 16 that I think need to be resolved in order to do that.
> 
> (1) Use of XPTR records for SSP.  The idea here is to create 
> a more general policy mechanism that can be used by WS-* and 
> such.  There were about 20 messages discussing this from 5 
> people.  I'm not reading a clear consensus on this.

I would order this slightly differently. The point of XPTR is that it avoids the need to create new RRs for future policy records. The reason I believe this is essential is that in the future I anticipate a policy record for every protocol and I anticipate a vast increase in the number of protocols as we enter the machine-machine communication era.

Current Internet protocols are almost exclusively designed either for human endpoints directly or to support protocols that terminate at human endpoints. This constrains proliferation of protocols. Once we are in the Web Services era proper we lose this constraint. I expect development of these protocols to be organic, bottom up with the standards process only kicking in at a late stage.

If I am right a means of distributing protocol policy will be essential to manage the proliferation, moreover gating deployment on IETF action required to allocate a finite resource (RR codes) and update the DNS server infrastructure is simply usustainable.

> (2) SSP record type (TXT vs. something new). Only 4 messages 
> in discussion, mostly saying "if you support TXT, don't 
> bother with anything else."  Again, no clear consensus.

I see no value in an SSP record type. The downside for DKIM is serious - we are gated on new deployments of DNS server code. The downside for the DNS described above is equally serious.

As a general rule: deployment of a new Internet protocol or protocol enhancement such as DKIM should not require consumption of any finite infrastructure resource. DNS RRs are one such resource.

The only objection made to using TXT that has been sustained is the wildcard issue and that has been answered by XPTR. The principled approach here is to use a new RR to extend the DNS infrastructure so it never needs future extension for other projects with similar goals. 

I think that we should only do TXT. The consequence of this is that any email sender can express the policy 'I sign all mail from example.com' without modifying their DNS. The sand in the shoe is that they have to upgrade their DNS server to express the policy 'All mail from *.example.com is signed'.

I accept the sand in the shoe reluctantly for the following reasons:

1) I don't think that the policy 'All mail from *.example.com is signed' is legitimate, I can see a need for the policy 'No mail is sent from *.example.com' but that is out of scope. I can see how this can happen due to split DNS but anyone operating DKIM in this mode should either enter the DNS nodes in the external DNS or do the appropriate mapping before they sign.

2) Regardless of the wildcard mechanism employed (new RR, XPTR, whatever) administrative wildcards are going to be essential on a zone of any size.

3) There is an advantage to DKIM in encouraging deployment of DNS servers capable of DNSSEC.


> (3) Upward query vs. wildcard publication.  27 messages in 
> discussion from 15 people.  Most of the discussion was a 
> rehash of the idea of associating semantics with DNS 
> zone-cuts, which we had already discussed and rejected.  I 
> have also been trying to get an opinion from DNSOP on the 
> idea of a one-level upward search (which I think solves 90% 
> of the problem), but haven't gotten any response.
> 
> So I don't know what to write in a revision of the draft.  I 
> could just write my opinions, but that's basically what's in 
> the draft-allman-dkim-ssp-02 draft already and doesn't make 
> any progress toward unifying the different proposals.  I want 
> to get something done soon, well before the July 2 deadline.

I think that this is where we reach the 'non-negotiable' issue for the DNS cabal. Misimplementation of upward query is a major cause of load on the DNS. The DNS cabal will complain loudly on this issue and they will actually have a case.

If we put it on the table and the DNS cabal raise an objection which is sustained for cause it will be harder to resist if they make complaints in areas where they don't really have a cause.


I thought I would want 'I sign all mail from *.example.com' but I don't, and I don't think anyone else really does.

There are three cases of interest:

1) The node exists in the internal DNS and the external DNS  
		'example.com', 'alice.example.com'
2) The node exists in the internal DNS but not the external DNS
		'bob.example.com'
3) The node exists in neither DNS
		'spammer.example.com'

If the site does not have split DNS the only cases that appear are 1 and 3.

I don't think that case 1 is the sort of thing you want to handle with a wildcard. If you care enough to sign the mail and setup the key records then you care enough to stipulate the policy.

Case 2 is an interesting edge case, but I don't think it is realistic. If I am hiding the existence of the node from the external world it should not be sending mail.

What does make sense is to have a policy:
      'All mail from {example.com, alice.example.com, bob.example.com} is signed'
	OTHERWISE 'No mail is sent from *.example.com'

I can't see where I would be signing mail from a domain name with no external existence.

OK here we come to a strange observation I made to Jim earlier. DKIM does not require a wildcard for DKIM signature policies. 'I sign everything in *.example.com' does not make sense, the wildcard that does make sense is 'Nomail is sent from *.example.com'. Which is of course out of scope, so maybe the whole wildcard issue is out of scope for DKIM policy and is only in scope for DKIM policy extensions (e.g. NOMAIL).


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email