Dave Crocker wrote: > G'day, > > While reviewing the posts in response to the iab draft, I am finding myself > unclear about the reasons for Step 2, of the query procedure in ASP's Section > 4.2.2. I'm pretty sure this is not merely a caffeine-deficiency-based > question... > > What is the functional or security reason for verifying that the domain > exists, in terms of ASP. > > I can imagine obvious reasons, outside of ASP, but those would not need to be > documented in the ASP. > > At the least, it would help to have the document include text that explains > the > benefit of this step. >
Where this came from, as I remember, is the translation from a new RR type to a prefixed TXT query. If ASP is published using its own RR type, one can do a query that gets the ASP record, and find out whether the domain exists at all. If you substitute a prefixed TXT query, you need to do a query for the domain itself, without the prefix, if you want to find this out. Checking for the existence of the domain is clearly a useful thing to do, but it could be considered out of scope for ASP to check for the existence of the domain, since a non-existent domain naturally does not have a signing practices record (and we already know that). Another justification might be caching, but I'd need to find out more about how negative caching works: would a negative response to _asp._domainkey.nonexistent.example.com result in a negative cache entry for nonexistent.example.com? If so, step 2 might occur very quickly (and locally), potentially eliminating the step 3 query for the parent, which would probably not be cached. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
