[ietf-dkim] SSP issues
johnl at iecc.com
Sat Jun 2 14:37:06 PDT 2007
>As an aside, I don't believe there's anything that prevents use
>of TXT records, as currently specced, with wildcards, other than
>lack of support in the more widely used nameservers.
It depends on what your plan for using TXT records is. If you're
planning to use a prefix like _ssp.example.com, internal wild cards
like _ssp.*.example.com aren't ever likely to work because it would be
a compatibility issue. (Think of the fun when a secondary that
doesn't handle them AXFRs a zone.) There's been some suggestions for
internal wild cards marked by ** but I gather that has unpleasant
interactions with DNSSEC.
The alternative is to do what SPF did, put the TXT record directly at
the name and use version strings at the beginning of each record to
tell them apart. Beyond the gross ugliness, there's concerns about
how likely client code is to reliably ignore the records it doesn't
understand, and there may also be some issues where the names you want
to wildcard for SSP overlap with the ones for SPF.
We've gone around this enough times that I think that if there were a
reasonable way to do wildcards with TXT records, we'd have stumbled
across it by now.
More information about the ietf-dkim