[ietf-dkim] DNS wildcarding behavior scenarios

Hector Santos hsantos at santronics.com
Fri Jun 8 10:28:28 PDT 2007 

Michael Thomas wrote:
> 
> Hi all,
> 
> I think that there is a huge amount of confusion about how DNS wildcards
> work, and in particular how they might come to bear on the discovery
> problem for ssp-requirements, 5.1.4.

Michael, rather than continue this path of trying to tell people how 
confused they are and that you know better,  just show us your results. 
   Honestly, there are alot of SMART people here - we are NOT stupid.

I'm glad you did this similar exercise that I did.  I only did so get 
DNS people to explore how it can be done, and if there certain bottle 
necks, hiccups, how do we get around it.

> Executive summary: Wildcards, either TXT of a new one DO NOT meet this
> requirement.

I'm not sure 100% that I agree. Maybe the requiremnent is wrong? If I 
read your testing right, it is also based on not using a prefix. So 
maybe that method is not right. Maybe you need to have a cut off.

Case in point:

> 
> 4) Node which has a valid A record
> 
>    fugu$ host -t txt gate.mtcc.com
>    gate.mtcc.com has no TXT record
> 
>    Here, the wildcard ceases to work and the resolver returns 
 >    an ancount of zero. This case still *must* be handled somehow
 >    by SSP.

Right.  This can be handled some way.

> 6) As it relates to the _domainkey subnode
> 
>    fugu$ host -t txt _domainkey.mtcc.com
>    _domainkey.mtcc.com has no TXT record
> 
>    Note again that the wildcard at mtcc.com does not cover 
 >    this since there are subnodes that bear RR's. This is really
 >    another case of 4 but it works even when it's an interior
 >    node that bears no RR's at its node.

Right, especially if you have a prefix for the SSP record that is 
different than the KEY record.

I think the difference with my exercise is that here, you use the entire 
domain where in my exercise, I borrowed the logic used in the LMAP 
protocol "DMP" to use a prefix with a split of the domain:

     *._SSP.<domain.tld>     		global answer
     _SSP.<domain.tld>       		main domain answer
     [subdomains.]_SSP.<domain.tld>	subdomain answer

This works!

The only problem that I see with this style is that the client has to be 
aware of the zone cuts.  It needs knowledge of the gTLD and ccTLDS.

Lets not throw out the baby with the bath water yet.


-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list