On Apr 9, 2008, at 11:43 AM, MH Michael Hammer (5304) wrote: > In response to the question Dave asks, I like the idea of providing > the option of protecting an entire (sub)tree within in a domain. My > question to the gurus is whether there is a clean way to identify > "main" domains below a TLD. For the generics this would appear to be > straight forward. For country TLDs I'm not so sure. Some country > TLDs might always require a .co.TLD or .edu.tld (or something > similar). Not only is there inconsistency across such TLDs, there > may be inconsistency over time as far as requirements within a TLD. > > What started me thinking along this line was allowing a base domain > (if you will) to make an assertion that ALL subdomains only send > signed mail (or never sign mail or ?)
Technically, Dave Crocker is right. The issue he raises is valid since message content is independent of SMTP. When taken to heart, one can not expect _any_ DNS records relate to what might be email- addresses contained within the messages. One simple assertion can overcome this issue. Declare protections afforded by ADSP _only_ relate to email-addresses exchanged using SMTP. With this statement, there would be MX or A DNS resource records required by the domain. Presence of these records therefore offers a means to validate the domains. To put an upper limit on the number of policy related DNS transactions that could increase over time, require publishing MX records with any SMTP policy record. This would place an upper limit on the number of transactions needed to determine presence of SMTP policy. The first step in evaluating SMTP policy would be requesting an MX record. To determine whether the domain might be valid for SMTP, a subsequent transaction could check for A records. Until A record discovery becomes deprecated, and to avoid tree walking, domains seeking protection should be required to publish ADSP records at every node there is also A records. The existence of policy records in the absence of MX records would also refute any message comes from the domain. As policy records would need to be published in conjunction with A records, the requirement that policy be qualified by MX records eliminates any need to also publish bogus MX records as have been suggested as an alternative strategy. Acceptance of messages independent of SMTP delivery is separate matter not covered by ADSP. This could be handled through a scope statement in the ADSP record, but this field is currently missing. The way forward would be to declare that ADSP pertains to SMTP exchanged messages. When handling a mixture of messages exchanged using SMTP and other protocols, there will be potential conflicts. When the exchange protocol is not apparent to recipients, these messages may be seen as not complaint with ADSP assertions when a default assumption of SMTP is used. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
