On Sep 6, 2006, at 4:00 PM, william(at)elan.net wrote:
Actually your tree-walking in general is what's most troublesome to
me. This is what would cause the most problems and most extra
queries and cache misses (I know NXDOMAIN can be cached but don't
assume you can rely on it). And I don't think this will fly during
last-call and/or when DNS folks see this.
A scheme could offer protection by annotating assured valid email-
addresses of those also found within the address-book. This list of
email-addresses can be enhanced with local-parts added via policy.
With this scheme there is _no_ need to walk label trees. This
protection does _not_ depend upon blocking look-alikes or spoofed
email-addresses.
DKIM requires some form of annotation, as valid signatures are
transparent by design. Blocking all bad actors is not practical. By
depending upon the address book, not providing bad actors any
assuring annotations can be achieved in most cases without any
additional transactions beyond just verifying the signature. Some
additional transactions might extend the list of email-addresses
being annotated, or extend the assurance of valid email-addresses by
way of associations.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
