[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

[Dave Crocker]

On 8/30/2023 4:02 PM, Michael Thomas via Internet-history wrote:
> On 8/30/23 7:06 AM, Dave Crocker via Internet-history wrote:
>> Besides the DNS, there is no other global Internet query service that 
>> has integrated functional semantics.  The web might be mistakenly 
>> thought to be one, but it isn't.  It is a global mechanism for 
>> accessing a very large number of entirely independent query 
>> services.  Quite different from the nature and benefit of an 
>> integrated service like the DNS.
>>
> Except for the part that DNSSec is largely not deployed and https is. 
> DNS gets by unsecured largely by "trust but verify" where "verify" is 
> largely TLS. When you are using it transfer keys, in this case, that's 
> extremely dodgy. And a SRV record neatly creates that global service. 
> Good thing they exist.
>

The question of DNS security was, of course, given attention during DKIM 
design.  The view that dominated was that DNS security was quite 
important.  So important that its scope was far beyond DKIM and needed 
to be handled separately from DKIM.

That is, if attacks on the DNS became a factor, the DNS community needed 
to deal with it, not the DKIM community.

To date this has proved an effective simplification for DKIM. Attacks on 
DNS-based DKIM information have not been an issue, to my knowledge.

Best is that the DNS community's approach to the topic has been varied, 
rather than just latching on the high-burden DNSSec as the sole approach.

As for not using the DNS, the alternative approach of doing web-based 
queries carries a substantial cost of establishing consistent, reliable, 
efficient service where one did not necessarily already exist.  A small 
example is that use of DNS already means sever redundancy. There are 
likely other concerns with having to fire up a web server instance for 
every DKIM key query...

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social