Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque

[Jeff Macdonald]

On Sun, Apr 05, 2009 at 12:21:51AM +0100, John R. Levine wrote:
>>> One of us should send in a separate technical erratum saying that DKIM
>>> key records SHOULD be published only for SDID domains that have
>>> corresponding MX or A records and can receive mail.
>>
>> I believe your later posting on this retracted the suggestion, but this 
>> issue 
>> strike me as one that is very easy (and common) to misunderstand. So it's 
>> worth emphasizing.  Might be worth adding tidbits to the Deployment draft?
>>
>> The d= domain name is permitted to have /no relationship/ to any 
>> mail-sending 
>> or mail-receiving domain name.  Hence, no A, MX, or possibly /any(!)/ DNS 
>> resource records for the name.
>
>Right.  You have to control the branch of the DNS tree where the d= domain 
>would exist, since you need that to be able to install the key records, 
>but the domain doesn't have to exist otherwise.  Once you remember that 
>the big advance of DKIM over its predecessors is to separate the signing 
>domain from the domains in various other headers, this is clearly the 
>right way for it to work.

+1

my thinking has always been 3243242.rep.example.net.


-- 
Jeff Macdonald
jmacdon...@e-dialog.com

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque

[John R. Levine]

>> One of us should send in a separate technical erratum saying that DKIM
>> key records SHOULD be published only for SDID domains that have
>> corresponding MX or A records and can receive mail.
>
> I believe your later posting on this retracted the suggestion, but this issue 
> strike me as one that is very easy (and common) to misunderstand. So it's 
> worth emphasizing.  Might be worth adding tidbits to the Deployment draft?
>
> The d= domain name is permitted to have /no relationship/ to any mail-sending 
> or mail-receiving domain name.  Hence, no A, MX, or possibly /any(!)/ DNS 
> resource records for the name.

Right.  You have to control the branch of the DNS tree where the d= domain 
would exist, since you need that to be able to install the key records, 
but the domain doesn't have to exist otherwise.  Once you remember that 
the big advance of DKIM over its predecessors is to separate the signing 
domain from the domains in various other headers, this is clearly the 
right way for it to work.

> There might prove to be some benefits in choosing to have the d= name 
> match the name used for other purposes, but the design of DKIM does not 
> require it and it's essential that signers retain the choice.

The more I think about what it would mean to assert that an address in a 
From: or other header is "real", the less I understand it.  Sure, there 
are trivial cases (that is, trivial semantics, not necessarily small 
numbers of mailboxes) where an organization forces a 1-1 mapping between 
mailboxes and people, but there's a whole lot of other ways that mail 
works.  What does it mean for the address sa...@examp1e.com to be real 
when there are 100 people in the sales department?  Don't answer that, 
just note that there is more than one possible answer.

R's,
John
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

John Levine wrote:
> One of us should send in a separate technical erratum saying that DKIM
> key records SHOULD be published only for SDID domains that have
> corresponding MX or A records and can receive mail.


I believe your later posting on this retracted the suggestion, but this issue 
strike me as one that is very easy (and common) to misunderstand. So it's worth 
emphasizing.  Might be worth adding tidbits to the Deployment draft?

The d= domain name is permitted to have /no relationship/ to any mail-sending 
or 
mail-receiving domain name.  Hence, no A, MX, or possibly /any(!)/ DNS resource 
records for the name.

There might prove to be some benefits in choosing to have the d= name match the 
name used for other purposes, but the design of DKIM does not require it and 
it's essential that signers retain the choice.

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Jeff Macdonald]

On Fri, Mar 27, 2009 at 11:37:10AM -, John Levine wrote:
>>> well, now I'm completely confused.  to my eyes, your example fits
>>> exactly what 'registered' and 'resolvable' mean, but I guess you
>>> have something else in mind.
>
>Steve is quite right.  Since the DKIM key records are at different
>names from the related MX or A record, the existence of one doesn't
>require or imply the existence of the other.
>
>I don't want to hold up this errata/update/whatever any more than it
>already is, so I'd suggest taking out any wording about the DNS status
>of the SDID.
>
>One of us should send in a separate technical erratum saying that DKIM
>key records SHOULD be published only for SDID domains that have
>corresponding MX or A records and can receive mail.

-1

please don't, or at least, please explain.


The following shouldn't be discouraged:

From: f...@bar.com
DKIM-Signature: ... d=43343.rep.bar.com ...

where 43343.rep.bar.com doesn't have any MX or A record.




-- 
Jeff Macdonald
jmacdon...@e-dialog.com

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[John R. Levine]

> The following shouldn't be discouraged:
>
> From: f...@bar.com
> DKIM-Signature: ... d=43343.rep.bar.com ...
>
> where 43343.rep.bar.com doesn't have any MX or A record.

On further reflection, you're right.  The signature isn't an email address 
or a web site, so there's no reason it needs anything more than a key 
records.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Suresh Ramasubramanian]

On Sat, Mar 28, 2009 at 10:34 PM, Dave CROCKER  wrote:
> Hence the wording should be: "A single domain name that..." for both SDID and 
> AUID.
>
> Does this match everyone's assessment of consensus?

Acceptable.
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

Folks,

My intent with the suggested wording was *only* to make the language exactly 
match what DKIM requires.  It was an exercise in precision, accuracy and 
completeness, not modification or enhancement. That is, nothing new was 
intended.

It clearly did not achieve that goal.

I'm reading the dominant sense of the considerable set of postings on this 
topic 
as being:  Return to the original wording of the Errata draft.

Hence the wording should be: "A single domain name that..." for both SDID and 
AUID.

Does this match everyone's assessment of consensus?

d/

Dave CROCKER wrote:
> I think this does motivate two improvements to the draft language, one for 
> SDID 
> and one for AUID:
> 
>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
> ...
>>  New:
>>A single domain name that is the mandatory payload output of
>>DKIM and that refers to the identity claiming responsibility for
>>introduction of a message into the mail stream.  For DKIM
>>processing, the name has only basic domain name semantics; any
>>possible owner-specific semantics is outside the scope of DKIM.
> 
> A single domain name -> A single, registered domain name
> 
> 
>> 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
> ...
>>  New:
>>A single domain name that identifies the agent or user on behalf
>>of whom the SDID has taken responsibility.  For DKIM
>>processing, the name has only basic domain name semantics; any
>>possible owner-specific semantics is outside the scope of DKIM.
> 
> A single domain name -> A single, syntactically valid domain name
> 
> {{ no, I'm not in love that that wording choice.  /d }}
> 
> 
> How much indigestion does this cause?
> 
> d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[J.D. Falk]

Steve Atkins wrote:

> Not only does hatstand.beartrap.blighty.com not resolve, it's not
> registered anywhere. It exists solely as a substring of the string
> that's actually queried -
> banjo.aardvark._domainkey.hatstand.beartrap.blighty.com
>
> The only thing that can be said about the SDID in DNS terms is that
> the signer of the mail has the ability to add TXT records in the
> subtree rooted at that domain.
>
> Given that, trying to make more specific statements about what the
> SDID is than something vague like "a domain name" is likely to lead to
> something that's misleading or plain wrong.
>
> -1 on "registered" or "resolvable".

Sounds like the real requirement is that a DKIM verifier be able to figure 
out which key to use, based on that string.  There must be an IETF standard 
way to describe that

-- 
J.D. Falk
Return Path Inc
http://www.returnpath.net/
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Douglas Otis]

On Mar 27, 2009, at 8:04 AM, Tony Hansen wrote:

> Siegel, Ellen wrote:
>> Sorry for top-posting, but couldn't we sidestep all of the analysis  
>> by simply saying that the *syntax* (rather than the *semantics*)  
>> matches that of domain names?
>
> When all is said and done, it's the combination of the "selector  
> +_domainkey + SDID" that must be a valid domain name whose TXT  
> records can be accessed using DNS. This is the *only* name out of  
> all of these that MUST be in the DNS.


A valid DKIM signature confirms the signing agent is controlled by the  
domain indicated in SDID.  A valid signature also establishes an  
authority to assert UAID values that must reside at or under the  
domain.  (A valid DKIM signature verifies the UAID assertion by the  
SDID.)  When UAID values do not match against email-addresses within  
signed header fields, portions of the UAID namespace below the SDID  
may not represent an valid email destination.  However, the UAID value  
always represents an SDID identifier for on whose behalf their  
signature was added.

The SDID value could be seen as analogous to a State issuing a drivers  
license.  A valid signature could be analogous to untampered laser- 
scribed laminate and seals.  The License Number could be analogous to  
that of the UAID, where it might be replaced by a State email-address  
of the driver.  Such replacement can be denoted by its use within  
signed header fields.

-Doug
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Murray S. Kucherawy]

I understand the desire to constrain the SDID to be a registered name or 
under one, but is there a need to make this normative?  DKIM verification 
simply won't work if the SDID doesn't meet that criterion, and perhaps 
that's good enough.
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Barry Leiba]

> Has any reader of this spec actually been confused? I sure
> haven't seen it, and the advent of zillions of web resources in case
> there were any question at all makes this seem like a rather academic
> debate.

I agree with Mike.  Let's leave the text as it is, and move on.

Barry (participant)
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Michael Thomas]

Tony Hansen wrote:
> Siegel, Ellen wrote:
>> Sorry for top-posting, but couldn't we sidestep all of the analysis
>> by simply saying that the *syntax* (rather than the *semantics*)
>> matches that of domain names?
> 
> When all is said and done, it's the combination of the "selector +
> _domainkey + SDID" that must be a valid domain name whose TXT records
> can be accessed using DNS. This is the *only* name out of all of these
> that MUST be in the DNS.

Has any reader of this spec actually been confused? I sure
haven't seen it, and the advent of zillions of web resources in case
there were any question at all makes this seem like a rather academic
debate.

Mike
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Tony Hansen]

Siegel, Ellen wrote:
> Sorry for top-posting, but couldn't we sidestep all of the analysis
> by simply saying that the *syntax* (rather than the *semantics*)
> matches that of domain names?

When all is said and done, it's the combination of the "selector +
_domainkey + SDID" that must be a valid domain name whose TXT records
can be accessed using DNS. This is the *only* name out of all of these
that MUST be in the DNS.

Tony Hansen
t...@att.com
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 27, 2009, at 4:37 AM, John Levine wrote:

>>> well, now I'm completely confused.  to my eyes, your example fits
>>> exactly what 'registered' and 'resolvable' mean, but I guess you
>>> have something else in mind.
>
> Steve is quite right.  Since the DKIM key records are at different
> names from the related MX or A record, the existence of one doesn't
> require or imply the existence of the other.
>
> I don't want to hold up this errata/update/whatever any more than it
> already is, so I'd suggest taking out any wording about the DNS status
> of the SDID.

+1

> One of us should send in a separate technical erratum saying that DKIM
> key records SHOULD be published only for SDID domains that have
> corresponding MX or A records and can receive mail.

Any reason for that? It doesn't strike me as an obviously good idea.

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Bill.Oxley]

before we get too semantically bogged down, a domain name implys dns 
registration otherwise it is a label of convenience 


Bill Oxley
Messaging Engineer
Cox Communications, Inc
404-847-6397

-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On 
Behalf Of Steve Atkins
Sent: Thursday, March 26, 2009 9:21 PM
To: DKIM IETF WG
Subject: Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)


On Mar 26, 2009, at 6:10 PM, Dave CROCKER wrote:

>
>
> Steve Atkins wrote:
>> On Mar 26, 2009, at 3:49 PM, Dave CROCKER wrote:
>>>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
>>> ...
>>>>New:
>>>>  A single domain name that is the mandatory payload output of
>>>>  DKIM and that refers to the identity claiming  
>>>> responsibility  for
>>>>  introduction of a message into the mail stream.  For DKIM
>>>>  processing, the name has only basic domain name semantics; any
>>>>  possible owner-specific semantics is outside the scope of  
>>>> DKIM.
>>>   A single domain name -> A single, registered domain name
>> Registered with who?
>> If the SDID is, say, hatstand.beartrap.blighty.com?
>
>
> Registered with the DNS, the global distributed hierarchical service.
>
> From the other uses of this language I'm seeing on the net, this  
> isn't said explicitly.  Do you really feel that the meaning is not  
> clear?

Registered means that the string is registered with a registry.

That's not something I'd want the language to even hint at, let alone  
actually say. It's going to lead to confusion when explaining this to  
people, as you'll need to directly contradict the wording in the spec  
when you reassure them that, no, there is no central DKIM registry.

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Hector Santos]

SM wrote:
> Hi Hector,
> At 23:22 26-03-2009, Hector Santos wrote:
>> Who is the document addressed to?  I must be the only one here that is 
>> having trouble with the "new" lingo in communications.
> 
> The document is addressed to DKIM implementors.  The document can also 
> be used as a base for extensions built upon DKIM.

Well, before you can have DKIM implementators, they probably have 
something to first with electronic mail, and at some point it all has 
to revert back to layman terms (as we know it today) for customers to 
enjoy.

The question I ask to myself is this:

Can someone successful implement DKIM using RFC 4871 without having to 
resort to this errata?  Or does errata significant enough in fixing 
the original functional specifications that makes it mandatory to have?

-- 
Sincerely

Hector Santos
http://www.santronics.com


___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Siegel, Ellen]

Sorry for top-posting, but couldn't we sidestep all of the analysis by simply 
saying that the *syntax* (rather than the *semantics*) matches that of domain 
names? 

Ellen

> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
> boun...@mipassoc.org] On Behalf Of Dave CROCKER
> Sent: Thursday, March 26, 2009 6:50 PM
> To: Jim Fenton
> Cc: DKIM IETF WG
> Subject: [ietf-dkim] (registered) domain name (Re: errata revision:
> opaque)
> 
> 
> 
> Jim Fenton wrote:
> 
> > Just for completeness, I'll point out that some might feel that the
> > (indirect) statement that the domain name portion of the AUID has domain
> > name semantics is too strong.  The subdomain portion (the portion, if
> > any, that is a subdomain of the SDID) doesn't need to be an actual
> > domain at all.
> >
> > I'm not sure it's necessary to clutter the definition with this detail,
> > however.  I'm happy with it the way it is.
> 
> 
> Well, I think we should make sure that clarification text doesn't wind up
> diverging from the precise semantics of what it is trying to clarify, lest
> we
> create ambiguity.
> 
> So while this might be a pain, I think it's good you caught this issue and
> raised it.
> 
> I don't claim to know the nuances of this issue well enough.  For
> starters, I
> did some searching around, which might or might not have improved my
> understanding...
> 
> The best I can find is two kinds of distinction.  The term "hostname"
> refers to
> a constraint on use of the full Domain Name namespace.  The term
> "registered"
> appears to be the way of distinguishing names that appear in the
> operational
> service, ie, the public database.
> 
> That is, the former refers to names and the latter refers to a query
> mechanism.
> 
> When we say "actual", I think it translates into what the documents I'm
> seeing
> are calling "registered".
> 
> RFC4871's i= text says:
> 
>   "The domain part of the address MUST be the same as or a subdomain
> of the
> value of the "d=" tag"
> 
> which does not imply registration or non-registration.  Either appears to
> be legal.
> 
> I think this does motivate two improvements to the draft language, one for
> SDID
> and one for AUID:
> 
> > 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
> ...
> >  New:
> >A single domain name that is the mandatory payload output of
> >DKIM and that refers to the identity claiming responsibility for
> >introduction of a message into the mail stream.  For DKIM
> >processing, the name has only basic domain name semantics; any
> >possible owner-specific semantics is outside the scope of DKIM.
> 
> A single domain name -> A single, registered domain name
> 
> 
> >
> > 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
> ...
> >  New:
> >A single domain name that identifies the agent or user on behalf
> >of whom the SDID has taken responsibility.  For DKIM
> >processing, the name has only basic domain name semantics; any
> >possible owner-specific semantics is outside the scope of DKIM.
> 
> A single domain name -> A single, syntactically valid domain name
> 
> {{ no, I'm not in love that that wording choice.  /d }}
> 
> 
> How much indigestion does this cause?
> 
> d/
> --
> 
>Dave Crocker
>Brandenburg InternetWorking
>bbiw.net
> ___
> NOTE WELL: This list operates according to
> http://mipassoc.org/dkim/ietf-list-rules.html

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[SM]

Hi Hector,
At 23:22 26-03-2009, Hector Santos wrote:
>Who is the document addressed to?  I must be the only one here that 
>is having trouble with the "new" lingo in communications.

The document is addressed to DKIM implementors.  The document can 
also be used as a base for extensions built upon DKIM.

Regards,
-sm 

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[John Levine]

>> well, now I'm completely confused.  to my eyes, your example fits
>> exactly what 'registered' and 'resolvable' mean, but I guess you
>> have something else in mind.

Steve is quite right.  Since the DKIM key records are at different
names from the related MX or A record, the existence of one doesn't
require or imply the existence of the other.

I don't want to hold up this errata/update/whatever any more than it
already is, so I'd suggest taking out any wording about the DNS status
of the SDID.

One of us should send in a separate technical erratum saying that DKIM
key records SHOULD be published only for SDID domains that have
corresponding MX or A records and can receive mail.

R's,
John
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Hector Santos]

SM wrote:
> Hi Dave,
> At 15:49 26-03-2009, Dave CROCKER wrote:
>> The best I can find is two kinds of distinction.  The term 
>> "hostname" refers to
>> a constraint on use of the full Domain Name namespace.  The term "registered"
>> appears to be the way of distinguishing names that appear in the operational
>> service, ie, the public database.
> 
> The problem with this document is that it is not a specification 
> about DNS and the reader may not restrict his/her interpretation to 
> that only.  

Who is the document addressed to?  I must be the only one here that is 
having trouble with the "new" lingo in communications.

Imagine when its all said and done, someone getting into this may need 
  to take out a dictionary and print out a legend of new acronyms and 
stick it on his monitor, learn how to pronounced the syllables of the 
new acronyms and to thinking 2-3 times to understand what they mean 
and reflect in email.

Its all nuts. But I am the only person here that feels that way, so 
proceed.

-- 
Sincerely

Hector Santos
http://www.santronics.com


___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[SM]

Hi Dave,
At 15:49 26-03-2009, Dave CROCKER wrote:
>The best I can find is two kinds of distinction.  The term 
>"hostname" refers to
>a constraint on use of the full Domain Name namespace.  The term "registered"
>appears to be the way of distinguishing names that appear in the operational
>service, ie, the public database.

The problem with this document is that it is not a specification 
about DNS and the reader may not restrict his/her interpretation to 
that only.  People commonly view the term "registered" as meaning 
that the domain name has been registered through a registry.  You can 
get away with that by specifying "registered in DNS".  Generally, we 
don't have to go to such lengths as it is implicit that the domain 
name should be resolvable.  Given the amount of debate we have been 
having about DKIM, some people might prefer to have all the details 
nailed down so that we don't have to argue about this again in 
future.  Some people will come up and say that "registered in DNS" 
means that the domain name must also be registered through a registry.

> A single domain name -> A single, syntactically valid domain name

I don't know and I prefer not to know, whether there are 
syntactically invalid domain names. :-)  If I want to know what a 
"single domain name" is, I'll see what the RFCs say.  My statement is 
not a case of "the RFC says so" as I am not an advocate of such an 
argument.  I refer to the relevant text as, in my eyes, it provides a 
good explanation as to why we do things in a particular manner.

There isn't any requirement that DKIM must only be used on the public 
Internet.  In practice, most users of the technology will be on the 
Internet.  Let's agree about the term without constraining where DKIM 
can be used.

I suggest using "a domain name".  I don't see the point of having 
"single" in that text as the public key retrieval will fail if we use 
more than one domain name.  If the WG wants to be precise, I'm fine 
with that.  The interpretation of domain name here is within the 
context of DNS.  For those of you who don't understand what that 
means, please talk with the DNS folks.  They are highly skilled in 
the art of frustrating application designers when that question is raised. :-)

Regards,
-sm  

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 26, 2009, at 7:05 PM, Dave CROCKER wrote:

> well, now I'm completely confused.  to my eyes, your example fits  
> exactly what 'registered' and 'resolvable' mean, but I guess you  
> have something else in mind.
>

hatstand.beartrap.blighty.com doesn't resolve. A query for it returns  
NXDOMAIN, and it doesn't exist in DNS in any way:

  steve$ dig  hatstand.beartrap.blighty.com txt
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12223

Yet it's potentially a valid SDID, because  
banjo.aardvark._domainkey.hatstand.beartrap.blighty.com *does* return  
a TXT record.

  steve$ dig +short  
banjo.aardvark._domainkey.hatstand.beartrap.blighty.com txt
  "I am a public key - no, really!"

Not only does hatstand.beartrap.blighty.com not resolve, it's not  
registered anywhere. It exists solely as a substring of the string  
that's actually queried -  
banjo.aardvark._domainkey.hatstand.beartrap.blighty.com

The only thing that can be said about the SDID in DNS terms is that  
the signer of the mail has the ability to add TXT records in the  
subtree rooted at that domain.

Given that, trying to make more specific statements about what the  
SDID is than something vague like "a domain name" is likely to lead to  
something that's misleading or plain wrong.

-1 on "registered" or "resolvable".

Cheers,
   Steve


> RFC 1034 and RFC 1035 make many references to resolvers.
>
> d/
>
> Steve Atkins wrote:
>> On Mar 26, 2009, at 6:36 PM, Dave CROCKER wrote:
>>>
>>> Steve Atkins wrote:
 On Mar 26, 2009, at 6:26 PM, Barry Leiba wrote:
> We could say "DNS-resolvable".
 We could, but it's not actually a requirement that the SDID  
 resolve  in  the DNS (and in many cases it won't).
>>>
>>> Really?
>>>
>>> Then how does the receiver obtain the public key for performing   
>>> verification?
>>>
>>> key retrieval is defined as using d=.
>> If you receive an email with a selector of banjo.aardvark and an  
>> SDID  of hatstand.beartrap.blighty.com then you'll hopefully be  
>> able to  resolve  
>> banjo.aardvark._domainkey.hatstand.beartrap.blighty.com, but   
>> that's all you can say about ability to resolve any query in the   
>> domain tree under the SDID, including the SDID itself.
>> At least, that's how I understand it.
>> Cheers,
>>   Steve
>> ___
>> NOTE WELL: This list operates according to 
>> http://mipassoc.org/dkim/ietf-list-rules.html
>
> -- 
>
>  Dave Crocker
>  Brandenburg InternetWorking
>  bbiw.net

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

well, now I'm completely confused.  to my eyes, your example fits exactly what 
'registered' and 'resolvable' mean, but I guess you have something else in mind.

RFC 1034 and RFC 1035 make many references to resolvers.

d/

Steve Atkins wrote:
> On Mar 26, 2009, at 6:36 PM, Dave CROCKER wrote:
> 
>>
>> Steve Atkins wrote:
>>> On Mar 26, 2009, at 6:26 PM, Barry Leiba wrote:
 We could say "DNS-resolvable".
>>> We could, but it's not actually a requirement that the SDID resolve  
>>> in  the DNS (and in many cases it won't).
>>
>> Really?
>>
>> Then how does the receiver obtain the public key for performing  
>> verification?
>>
>> key retrieval is defined as using d=.
> 
> If you receive an email with a selector of banjo.aardvark and an SDID  
> of hatstand.beartrap.blighty.com then you'll hopefully be able to  
> resolve banjo.aardvark._domainkey.hatstand.beartrap.blighty.com, but  
> that's all you can say about ability to resolve any query in the  
> domain tree under the SDID, including the SDID itself.
> 
> At least, that's how I understand it.
> 
> Cheers,
>Steve
> 
> ___
> NOTE WELL: This list operates according to 
> http://mipassoc.org/dkim/ietf-list-rules.html
> 

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 26, 2009, at 6:36 PM, Dave CROCKER wrote:

>
>
> Steve Atkins wrote:
>> On Mar 26, 2009, at 6:26 PM, Barry Leiba wrote:
>>> We could say "DNS-resolvable".
>> We could, but it's not actually a requirement that the SDID resolve  
>> in  the DNS (and in many cases it won't).
>
>
> Really?
>
> Then how does the receiver obtain the public key for performing  
> verification?
>
> key retrieval is defined as using d=.

If you receive an email with a selector of banjo.aardvark and an SDID  
of hatstand.beartrap.blighty.com then you'll hopefully be able to  
resolve banjo.aardvark._domainkey.hatstand.beartrap.blighty.com, but  
that's all you can say about ability to resolve any query in the  
domain tree under the SDID, including the SDID itself.

At least, that's how I understand it.

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

Steve Atkins wrote:
> On Mar 26, 2009, at 6:26 PM, Barry Leiba wrote:
>> We could say "DNS-resolvable".
> 
> We could, but it's not actually a requirement that the SDID resolve in  
> the DNS (and in many cases it won't).


Really?

Then how does the receiver obtain the public key for performing verification?

key retrieval is defined as using d=.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 26, 2009, at 6:26 PM, Barry Leiba wrote:

> We could say "DNS-resolvable".

We could, but it's not actually a requirement that the SDID resolve in  
the DNS (and in many cases it won't).

I think "domain name" is just vague enough to avoid these problems. If  
you try and make it more specific without making it misleading, it's  
going to take more than just a couple of words to describe accurately.

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Barry Leiba]

We could say "DNS-resolvable".

Barry
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 26, 2009, at 6:10 PM, Dave CROCKER wrote:

>
>
> Steve Atkins wrote:
>> On Mar 26, 2009, at 3:49 PM, Dave CROCKER wrote:
 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
>>> ...
New:
  A single domain name that is the mandatory payload output of
  DKIM and that refers to the identity claiming  
 responsibility  for
  introduction of a message into the mail stream.  For DKIM
  processing, the name has only basic domain name semantics; any
  possible owner-specific semantics is outside the scope of  
 DKIM.
>>>   A single domain name -> A single, registered domain name
>> Registered with who?
>> If the SDID is, say, hatstand.beartrap.blighty.com?
>
>
> Registered with the DNS, the global distributed hierarchical service.
>
> From the other uses of this language I'm seeing on the net, this  
> isn't said explicitly.  Do you really feel that the meaning is not  
> clear?

Registered means that the string is registered with a registry.

That's not something I'd want the language to even hint at, let alone  
actually say. It's going to lead to confusion when explaining this to  
people, as you'll need to directly contradict the wording in the spec  
when you reassure them that, no, there is no central DKIM registry.

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

Steve Atkins wrote:
> On Mar 26, 2009, at 3:49 PM, Dave CROCKER wrote:
>>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
>> ...
>>> New:
>>>   A single domain name that is the mandatory payload output of
>>>   DKIM and that refers to the identity claiming responsibility  
>>> for
>>>   introduction of a message into the mail stream.  For DKIM
>>>   processing, the name has only basic domain name semantics; any
>>>   possible owner-specific semantics is outside the scope of DKIM.
>>A single domain name -> A single, registered domain name
> 
> Registered with who?
> 
> If the SDID is, say, hatstand.beartrap.blighty.com?


Registered with the DNS, the global distributed hierarchical service.

 From the other uses of this language I'm seeing on the net, this isn't said 
explicitly.  Do you really feel that the meaning is not clear?

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Steve Atkins]

On Mar 26, 2009, at 3:49 PM, Dave CROCKER wrote:
>
>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
> ...
>> New:
>>   A single domain name that is the mandatory payload output of
>>   DKIM and that refers to the identity claiming responsibility  
>> for
>>   introduction of a message into the mail stream.  For DKIM
>>   processing, the name has only basic domain name semantics; any
>>   possible owner-specific semantics is outside the scope of DKIM.
>
>A single domain name -> A single, registered domain name

Registered with who?

If the SDID is, say, hatstand.beartrap.blighty.com?

Cheers,
   Steve

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Barry Leiba]

>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
...
>    A single domain name -> A single, registered domain name
...
>> 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
...
>    A single domain name -> A single, syntactically valid domain name

Well, to make them similar, how about this for 7?:
A single domain name -> A single domain name, not necessarily registered,

Barry

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Jeff Macdonald]

On Thu, Mar 26, 2009 at 03:49:38PM -0700, Dave CROCKER wrote:
>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
>...
>>  New:
>>A single domain name that is the mandatory payload output of
>>DKIM and that refers to the identity claiming responsibility for
>>introduction of a message into the mail stream.  For DKIM
>>processing, the name has only basic domain name semantics; any
>>possible owner-specific semantics is outside the scope of DKIM.
>
>A single domain name -> A single, registered domain name
>
>
>> 
>> 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
>...
>>  New:
>>A single domain name that identifies the agent or user on behalf
>>of whom the SDID has taken responsibility.  For DKIM
>>processing, the name has only basic domain name semantics; any
>>possible owner-specific semantics is outside the scope of DKIM.
>
>A single domain name -> A single, syntactically valid domain name
>
>{{ no, I'm not in love that that wording choice.  /d }}
>
>
>How much indigestion does this cause?

none for me. +1


-- 
Jeff Macdonald
jmacdon...@e-dialog.com

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Jeff Macdonald]

On Thu, Mar 26, 2009 at 07:59:48PM -0400, Jeff Macdonald wrote:
> On Thu, Mar 26, 2009 at 03:49:38PM -0700, Dave CROCKER wrote:
>>> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
>> ...
>>>  New:
>>>A single domain name that is the mandatory payload output of
>>>DKIM and that refers to the identity claiming responsibility for
>>>introduction of a message into the mail stream.  For DKIM
>>>processing, the name has only basic domain name semantics; any
>>>possible owner-specific semantics is outside the scope of DKIM.
>>
>>A single domain name -> A single, registered domain name
>>
>>
>>>
>>> 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
>> ...
>>>  New:
>>>A single domain name that identifies the agent or user on behalf
>>>of whom the SDID has taken responsibility.  For DKIM
>>>processing, the name has only basic domain name semantics; any
>>>possible owner-specific semantics is outside the scope of DKIM.
>>
>>A single domain name -> A single, syntactically valid domain name
>>
>> {{ no, I'm not in love that that wording choice.  /d }}
>>
>>
>> How much indigestion does this cause?
>
> none for me. +1

oh, and +1 for the others

-- 
Jeff Macdonald
jmacdon...@e-dialog.com

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

[ietf-dkim] (registered) domain name (Re: errata revision: opaque)

[Dave CROCKER]

Jim Fenton wrote:

> Just for completeness, I'll point out that some might feel that the 
> (indirect) statement that the domain name portion of the AUID has domain 
> name semantics is too strong.  The subdomain portion (the portion, if 
> any, that is a subdomain of the SDID) doesn't need to be an actual 
> domain at all.
> 
> I'm not sure it's necessary to clutter the definition with this detail, 
> however.  I'm happy with it the way it is.


Well, I think we should make sure that clarification text doesn't wind up 
diverging from the precise semantics of what it is trying to clarify, lest we 
create ambiguity.

So while this might be a pain, I think it's good you caught this issue and 
raised it.

I don't claim to know the nuances of this issue well enough.  For starters, I 
did some searching around, which might or might not have improved my 
understanding...

The best I can find is two kinds of distinction.  The term "hostname" refers to 
a constraint on use of the full Domain Name namespace.  The term "registered" 
appears to be the way of distinguishing names that appear in the operational 
service, ie, the public database.

That is, the former refers to names and the latter refers to a query mechanism.

When we say "actual", I think it translates into what the documents I'm seeing 
are calling "registered".

RFC4871's i= text says:

  "The domain part of the address MUST be the same as or a subdomain of the 
value of the "d=" tag"

which does not imply registration or non-registration.  Either appears to be 
legal.

I think this does motivate two improvements to the draft language, one for SDID 
and one for AUID:

> 6.  RFC4871 Section 2.9 Signing Domain Identifier (SDID)
...
>  New:
>A single domain name that is the mandatory payload output of
>DKIM and that refers to the identity claiming responsibility for
>introduction of a message into the mail stream.  For DKIM
>processing, the name has only basic domain name semantics; any
>possible owner-specific semantics is outside the scope of DKIM.

A single domain name -> A single, registered domain name


> 
> 7.  RFC4871 Section 2.10 Agent or User Identifier (AUID)
...
>  New:
>A single domain name that identifies the agent or user on behalf
>of whom the SDID has taken responsibility.  For DKIM
>processing, the name has only basic domain name semantics; any
>possible owner-specific semantics is outside the scope of DKIM.

A single domain name -> A single, syntactically valid domain name

{{ no, I'm not in love that that wording choice.  /d }}


How much indigestion does this cause?

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html