[ietf-dkim] TXT Subdomain queries

Jim Fenton fenton at cisco.com
Wed Jun 6 23:38:31 PDT 2007 

Hector Santos wrote:
> I'm not DNS Administrator expert, but I did a small exploration in two
> possible ways to deal with sub-domains.
>
> I'm using the DSAP draft syntax to illustrate this
>
> Method one:  Multiple TXT records:
>
> _dsap  0   TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
>                   a=rsa-sha256; fa=fail; fx=fail; fs=fail;
>
> _dsap  0   TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
>                   a=rsa-sha256;
>
> _dsap  0   TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
>                   a=rsa-sha256;
>
> _dsap  0   TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
>                   a=rsa-sha256;
>
> _dsap  0   TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;
>
> _dsap  0   TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
>                   3pl=mipassoc.org
>
> Give a domain with any number of subdomains, if any, take the main
> domain and preface with _DSAP to do a TXT lookup.
>
> For example:  sales.isdgn.net
>
>  NSLOOKUP -query=txt _dsap.isdg.net
>
> Non-authoritative answer:
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
>            3pl=mipassoc.org"
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
>            a=rsa-sha256;"
>
> _dsap.isdg.net  text =
>
>         "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
>            a=rsa-sha256; fa=fail; fx=fail; fs=fail;"
>
>
> In this case, the SD=sales subdomain tag is found to expose the domain
> policy.

Two issues:

When you receive a message from sales.idsg.net, how do you know that the
"main" domain is idsg.net?  More generally, if you get a message from
covington.losaltos.k12.ca.us, what is the "main" domain?

Returning a whole bunch of TXT records doesn't scale at all well to
large numbers of subdomains.
>
> Method Two: Using Wildcards
>
> In this case, its better to use the ZONE setup for this:
>
>
> *._ssp      0   TXT "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail;
>                        fs=fail;
>
> _ssp        0   TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
>                        a=rsa-sha256; fa=fail; fx=fail; fs=fail;
>
> corp._ssp   0   TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
>                        a=rsa-sha256;
>
> sales._ssp  0   TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
>                        a=rsa-sha256;
>
> europe._ssp 0   TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always;
>                        3p=never; a=rsa-sha256;
>
> public._ssp 0   TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;
>
> list._ssp   0   TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
>                        3pl=mipassoc.org
>
>
> In this case, a lookup for sales._ssp.isdg.net will provide the record
> we want.   If it was missing, then the first record is return.
>
> So a lookup,  NSLOOKUP -QUERY=TEXT   foobar._ssp.isdg.net will yield:
>
>     "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail; fs=fail;
>
> Which says NO MAIL expected for this domain!
>
> What are the problems with this type of logic?

Again, the difficulty, if you receive a message from sales.idsg.net, is
knowing where to query.  Is it sales._ssp.idsg.net, or
_ssp.sales.idsg.net?  More complex domain names will result in more
possibilities.

-Jim

More information about the ietf-dkim mailing list