----- Original Message ----- From: "Steve Atkins" <[EMAIL PROTECTED]>
>> >> But it still an optimization concept: >> >> - No need to DNS lookup, regardless of TTL state. > > Yes. DNS is cheap, and NXDOMAIN is cached, though. How often, in > practice, do you think that even an MUA, let alone an MTA, will be > seeing a significant fraction of expired signatures? But are we ready to presume it is foregone that this will be low? Low or high, I still don't think it substracts from the optimization consideration based on the current semantics of the protocol. What are saying anyway? That a DNS lookup should always be done anyway, therefore a x=tag or any other short-circuiting concept that would provide the same optimozed result is not required? A side nit: We have no 100% reliable conclusion that all verifying sites will have the same 100% reliable DNS operations. >> - No need to do any SHA256 Hashing on a potential HUGE payload. > > If the public key has expired from DNS, then you wouldn't be > doing that anyway, would you? (If your MTA were ill-designed > enough to do that it would also be doing so for the significantly > larger fraction of email that has falsified DKIM headers, which would > seem a much bigger problem.) I think this all depends on the semantics and what time x= points too in the cycle of key life and in combination with TTL, who know what chaotic timing and caching issue we are dealing with. But yes, you are correct, The current semantic for making a key invalid if when the key p= tag is empty or a NXDOMAIN and in this case, there is no hashing overhead. Also keep in mind that this (NXDOMAIN) means with Section 6.2 Step 2. >> This is clearly an optimization any good engineer will see. > > I don't really care one way or the other, but describing this > feature as "clearly an optimization" seems to overstate the case. Probably. But it also depends on what a verifier is experiencing and I am for using our insights to make this an efficient system without changing the end results. The concept is clearly an optimization because the results are not changed. It is clear step to removing any additional processing or consideration required. I am not disagreeing that it net effect is major. By no means, but if you don't have to do an DNS lookup, and the specs has an implicit semantics to this effort, and the end results are the same whether you do or not, then why enforce it? Thanks -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
