[ietf-dkim] Re: New issue: Upward query vs. wildcard publication
dhc at dcrocker.net
Wed Apr 18 07:30:16 PDT 2007
Jim Fenton wrote:
> I don't remember offhand how CSV did this.
From the specification at <http://mipassoc.org/csv>:
> If a domain administrator declares an assertion about all names
> within a domain, the appropriate bit MUST be set in the Port field of
> the CSV-CSA record at the root of the domain for which the assertion
> applies, and MAY be repeated at subdomains of that domain. The
> Explicit bit applies to a domain and all its subdomains. If it is
> repeated in a subdomain it has no effect on the semantics, but it
> might cause a search to stop sooner.
> Domain administrators SHOULD publish records with such assertions in
> the port field at a level no deeper than sixth-level domains, such as
> since receivers are expected to search no deeper than that, and will
> most likely not find records published for seventh-level or deeper.
> (Receivers will, of course, still query for the weight field at the
> exact level of the EHLO string.)
The key to making this scheme work is that the domain name must exist.
Bad actors cannot use a non-existent name. Hence, the owner of the root
for the organization's domain name (e.g., example.com) can know where to
place these marker records, below the organization's root.
This approach is, of course, a royal pain, but our feeling was that the
effort was tractable, within the confines of using an existing record.
For CSV, the SRV record was specified.
Things change considerable if a new RR is used, since regular DNS
wildcards come back into consideration.
More information about the ietf-dkim