Jim,
Jim Fenton wrote:
> Dave Crocker wrote:
>> Just to make sure we are on the same page about the hierarchy trick in the
>> spec:
>>
>> The one-level-up hack might be useful for saving some administration,
>> but it
>> does not provide meaningful "protection", since all an attacker has to do is
>> use
>> a level down.
>>
>
> I'm not entirely clear on what you mean by "a level down", but let me
> try to take a stab at it.
>
> Suppose example.com has "all" signing practices that it wants to extend
> to itself and everything under it (at multiple levels).
I thought we had agreed that the one-level-up hack (or one-level-down,
depending
on your spec) specified in the document was intended as an administrative
convenience, rather than as a discrete security mechanism.
> Suppose a message comes with an author address of [EMAIL PROTECTED]
> (hostname ns.example.com exists). The one-level-up query will apply the
> ADSP for example.com.
Right. But it won't cover the cases in which the site has a multi-level domain
naming substructure, as many organizations do. This is why the one-level
mechanism really is only about saving the administrator from creating a set of
records.
(Has there been a discussion about the trade-off between saving some
administrators this effort, versus the transactional overhead of having every
receiving host do extra queries, so see whether there is a record one-level up?)
> Suppose a message comes with an author address of [EMAIL PROTECTED]
> (hostname foo.example.com does not exist). The step-2 query will result
> in an NXDOMAIN, so the ADSP result will be "the domain does not exist".
> "Domain" in this context means the right-hand-side of the address as the
> term is used in RFC 2821.
So the check-for NXDomain is intended to cover those cases where the site has
set -all and has indeed provided ADSP records (directly or implicitly) for all
domain names it controls?
> Suppose a message comes with an author address of
> [EMAIL PROTECTED] (hostname foo.bar.example.com does not exist).
> Again, the step-2 query results in an NXDOMAIN, and ADSP says "the
> domain does not exist".
>
> Suppose a message comes with an author address of
> [EMAIL PROTECTED] (hostname www.eng.example.com exists). In this
> case, the one-level-up query does not reach the example.com ADSP
> record. For full coverage, there MUST be an ADSP record for
> eng.example.com, as required by section 4.2 paragraph 2.
>
> The point of the one-level-up query was not to relieve domains from
> publishing ADSP records for subdomains, but rather for hostnames and
> other terminal nodes ("terminal node" as used in RFC 2136).
I do not understand this sentence. It parses as a sentence, but I not see the
semantic sense in it. Please clarify.
The first part of the sentence seems to contradict statements you made earlier
about the mechanism, when pressed on its relevance.
This
> greatly reduces the burden of publication required to get complete ADSP
> coverage.
And I do not see how your sentence, here, is different from "relieving domains
from publishing [some] ADSP records for sub-domains. That's what I mean by
administrative convenience.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
