On Sep 21, 2006, at 9:47 AM, Michael Thomas wrote:
Jim Fenton wrote:
I don't understand this. Many people routinely do reverse DNS
lookups on the IP address from which messages are received, SPF
checks (which can be several lookups), and so forth. Why the
sensitivity to additional, potentially well-cached lookups?
There is a far greater likelihood the transactions in question are
_not_ cacheable.
When there is a high level of UDP traffic, especially when highly
distributed transactions load a common server, high packet loss rates
may result. The average domain offers two DNS. When each message is
expected to generate a load on servers that have never indicated an
expectation of even seeing this traffic, it should also not be
surprising that this load may not be well handled. The retry period
for a lost packet is 5 seconds, followed by 10 and then 20 etc. The
number of resulting simultaneous connections may subsequently limit
the MTA's ability to accept additional connections, for a type of DoS.
Keep in mind SPF remains experimental, where even that status needs
to be questioned, as it also represents a serious security concern as
well.
I think that the interesting meta issue here is that DKIM
verification does not require this; SSP requires this. I hope that
there isn't confusion about that because the two really are severable.
When an email-address's domains policy is checked only in response to
a retained email-address then there is never a need to hunt for a
policy. This assumption of any required search is premised upon a
mode of protection that is highly flawed when look-alike attacks are
considered. Address-books and trusted-lists can leverage the
information made available with DKIM. For this mode of operation,
policy may simply provide a means to associate different domains.
There's a lot of question how much "teeth" these requirements on
the verifier have. We used the stronger wording to encourage
"compliant" implementations to do SSP, because a lot of the reason
for publishing SSP goes away if it is going to be ignored. But I
expect that it will be up to the individual customer's choice,
just as it's possible to turn certain classes of checks on and off
in SpamAssassin.
Again, we need to separate out the two protocols. We have to have
MUST requirements for the SSP protocol, but there isn't a MUST USE
SSP requirement for any given DKIM verifier.
As indicated with the use of the address-book or trusted domain list,
there is NO NEED for any SSP must. Do you want this to become a
legal requirement? No protection scheme should mandate highly
questionable and potentially dangerous network activity.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
