[ietf-dkim] Upper LeveL Domain
dotis at mail-abuse.org
Thu Apr 19 18:03:07 PDT 2007
On Apr 19, 2007, at 4:19 PM, Hallam-Baker, Phillip wrote:
> The problem here is that REGARDLESS of whose scheme you use you are
> going to need to deal with the problem that DNS wildcards do not
> have the semantics that you would want as an administrator. As we
> have discussed ad-nauseam, a DNS wildcard only applies to nodes in
> the zone which do not exist.
> So to make any of these schemes work we need a DNS server with the
> ability to manage macro-wildcards. This applies to Jim's schemes
> and to my schemes and to anyone else's schemes.
> If we have to add this capability to the DNS server there is not a
> significant cost to an XPTR record.
> But the key advantge here is that anyone can start DKIM signing and
> publishing SSP records today. That is not the case for a new RR.
The XPTR is a clever concept, but seems unlikely to be quickly
embraced. Regardless of the record used, this record accompanies all
other records found at each leaf. While scripts can be used to
populate a zone, automation needs to be endorsed and assured secure.
This represents a sizable investment with little added benefit from a
Publishing a list of domains run by registries provides far greater
performance for obtaining domain policy and reputation. This type of
list does not demand complex changes to DNS or usurping a RR selected
from the few supported in the corporate environment. This list
requires occasional maintenance, which is why it would be good to
standardize format and centralize where it is published.
Not as bad as distributing a host file, however every company
tracking domain reputation heavily depends upon this essential
information. Rather than each company individually generating their
own list, DKIM's base specification compatibility depends upon this
list being generally accepted and standardized as these domains are
to be excluded validating sub-domains. A specialized RR could even
be published by SLDs to signal the domain's use by a registry, which
could help with standardization efforts. : )
Mark's suggestions regarding domain depth offering sub-policies
(assuming sub-polices are less restrictive) seemed reasonable.
More information about the ietf-dkim