Eliot Lear wrote: > Dave, Chairs, > > Why isn't this a duplicate of Issue 1402 > <https://rt.psg.com/Ticket/Display.html?id=1402>? By my recollection, > this topic alone has been discussed at at least two - and possibly three > - working group meetings. Please advise.
It does look similar. Dave - can you differentiate this from 1402? Stephen. > > Eliot > > > Dave Crocker wrote: >> Folks, >> >> This issue encompasses some others, but I believe it is more basic and >> therefore >> informs the others and therefore needs to be resolved separately: >> >> There is a basic difference between trying to protect a single domain >> name, >> versus trying to protect an entire sub-tree. >> >> 1. The DNS was not designed with sub-tree operators. The wildcard >> mechanism is >> a very narrowly-defined capability and is useless in the face of >> underscore-based naming, since the underscore node really defines an >> attribute >> of the domain name it is under, rather than defining a true "name". >> >> What this leaves us with is attempting to invent mechanisms that turn >> out >> to do only a partial job, at best. >> >> >> 2. Some of the sub-tree effort is for administrative convenience. Some is >> for >> expanded semantics. >> >> It's not clear that the specification is clear about this distinction. >> >> It is not clear that the specification is clear about the motivations >> that >> make it mandatory to add sub-tree mechanisms to the specification. >> >> >> 3. At least one of the sub-tree mechanisms is attempting to glean >> information >> from the absence of publisher action. Let me explain: >> >> I believe the desire with checking the A record is similar to the idea >> behind having ADSP in the first space. >> >> That is: >> >> a) DKIM is for declaring the presence of an accountable identity. >> If a >> signature is present, you know something. If it is absent, you know nothing >> extra. >> >> b) ADSP attempts to tell you something, in the absence of a >> signature. >> It does that by defining something else that must be present. If the ADSP >> record is present, you know something. If it is absent, you know nothing >> extra. >> >> c) Checking for the presence of an A record is intended to try tell >> you >> something in the absence of an explicit action by the domain owner. That's >> it's >> flaw: It is intuiting ADSP information from non-ADSP action. >> >> While there is nothing wrong with checking the A record, it's semantics >> have literally nothing (directly) to do with ADSP. >> >> >> All of the above is of course implies some specific actions, but for this >> note, >> my real goal is to get much more explicit discussion and consensus about the >> difference between protecting a single domain name, versus protecting a tree >> of >> names, and to get consensus about each of these as separable goals. >> >> d/ >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
