3.2.2. SSP Lookup Algorithm 4th & 6th Sentence Was: For the purposes of this section a "valid SSP record" is one that is both syntactically and semantically correct; in particular, it must match the ABNF for a "tag-list" and must include a defined "dkim=" tag. This query MAY be done in parallel with the query made in step 2. If the result of this query is an "NXDOMAIN" error, the SSP Checker MUST return an appropriate error to the Evaluator and terminate the algorithm. 4th & 6th Sentence Change to: For the purposes of this section a "valid SSP record" is one that is both syntactically and semantically correct; in particular, it must match the ABNF for a "tag-list", and MUST include a defined "dkim=" tag and MUST be accompanied by an MX record at the Author Domain. This query MAY be done in parallel with the query made in step 2. If the result of this query is an "NXDOMAIN" error, the SSP Checker MUST return an appropriate error to the Evaluator and terminate the algorithm. When the SSP record is returned without there also being an MX record at the Author Domain, the signature SHOULD BE considered fraudulent without further DNS transactions being attempted. Item 2 Was: 2. _Verify Domain Exists._ The SSP Checker MUST perform a DNS query for a record corresponding to the Author Domain (with no prefix). The type of the query can be of any type, since this step is only to determine if the domain itself exists in DNS. Item 2 Change to: 2. _Verify Domain Exists._ The SSP Checker MUST perform a DNS query for a record corresponding to the Author Domain (with no prefix). The type of the query SHOULD BE for an MX record. This step can depend upon other record types as the response is only to determine whether the domain itself exists in DNS. -Doug _______________________________________________NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
To better ensure the minimum number of DNS transactions occur while
processing DNS SSP and key TXT records, especially for domains that do
not implement email, the SSP draft should mandate publishing MX
records whenever an SSP record is also published. Since the SSP
discovery process makes use of MX record queries to determine whether
the domain exists, then when an SSP record is returned for a domain
that has not published an MX record, this thereby signals that both
email and DKIM are NOT used for email addresses at this domain. This
strategy affords a better cache hit rate during the SSP discovery
process, the detection of fraudulent uses of the domain, and a means
to protect second level domains.
- [ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to... Douglas Otis
- Re: [ietf-dkim] ISSUE: SSP-02: MX Record publishing m... Charles Lindsey
- Re: [ietf-dkim] ISSUE: SSP-02: MX Record publishing m... Wietse Venema
- Re: [ietf-dkim] ISSUE: SSP-02: MX Record publishi... Hector Santos
- Re: [ietf-dkim] ISSUE: SSP-02: MX Record publishi... Douglas Otis
- [ietf-dkim] Re: ISSUE: SSP-02: MX Record publishing m... Frank Ellermann
- Re: [ietf-dkim] Re: ISSUE: SSP-02: MX Record publ... Hector Santos
- Re: [ietf-dkim] Re: ISSUE: SSP-02: MX Record publ... Douglas Otis
- Re: [ietf-dkim] Re: ISSUE: SSP-02: MX Record ... Charles Lindsey
- [ietf-dkim] Re: ISSUE 1547: SSP-02: MX Record... Jim Fenton
- Re: [ietf-dkim] Re: ISSUE 1547: SSP-02: M... Dave Crocker
