On Tuesday, January 24, 2012 01:29:35 PM John Levine wrote: > >- move all the broken signature reporting into the signature itself by > >making them extension DKIM-Signature tags, rather than putting them in > >the key records in the DNS; the revised design doesn't require DNS > >queries for failed signatures that don't otherwise need them > > Let's say I put this line in the header of a bazillion messages in a > spam run: > > DKIM-Signature: v=1; d=blackops.org; s=bogus; b=foo; bh=bar; h=baz; > r=murray; > > I've just indirectly mailbombed you. Oops. The domain has to publish > something about its willingness to get reports, not unlike the way that > ADSP publishes a record about what to do if there's no signature that > matches the From: domains. Perhaps something like this:
I agree with it going in a DNS record, not in the signature for exactly the reasons you state. > _report._domainkey.blackops.org TXT "r=sendreportshere" > > It doesn't belong in the key record since, among other things, that > would make it hard to debug failures due to missing or malformed key > records. Isn't this perhaps overkill? As long as the key record isn't so broken one can't extract r=$STRING out of it, I think it's sufficient. OTOH, for key records that are missing entirely either because either someone forgot to publish it or the wrong selector is being used (I've seen both happen), there's no way around a separate record like this. I'm not sure what's best. Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
