[ietf-dkim] DNS wildcarding behavior scenarios
hsantos at santronics.com
Fri Jun 8 10:28:28 PDT 2007
Michael Thomas wrote:
> Hi all,
> I think that there is a huge amount of confusion about how DNS wildcards
> work, and in particular how they might come to bear on the discovery
> problem for ssp-requirements, 5.1.4.
Michael, rather than continue this path of trying to tell people how
confused they are and that you know better, just show us your results.
Honestly, there are alot of SMART people here - we are NOT stupid.
I'm glad you did this similar exercise that I did. I only did so get
DNS people to explore how it can be done, and if there certain bottle
necks, hiccups, how do we get around it.
> Executive summary: Wildcards, either TXT of a new one DO NOT meet this
I'm not sure 100% that I agree. Maybe the requiremnent is wrong? If I
read your testing right, it is also based on not using a prefix. So
maybe that method is not right. Maybe you need to have a cut off.
Case in point:
> 4) Node which has a valid A record
> fugu$ host -t txt gate.mtcc.com
> gate.mtcc.com has no TXT record
> Here, the wildcard ceases to work and the resolver returns
> an ancount of zero. This case still *must* be handled somehow
> by SSP.
Right. This can be handled some way.
> 6) As it relates to the _domainkey subnode
> fugu$ host -t txt _domainkey.mtcc.com
> _domainkey.mtcc.com has no TXT record
> Note again that the wildcard at mtcc.com does not cover
> this since there are subnodes that bear RR's. This is really
> another case of 4 but it works even when it's an interior
> node that bears no RR's at its node.
Right, especially if you have a prefix for the SSP record that is
different than the KEY record.
I think the difference with my exercise is that here, you use the entire
domain where in my exercise, I borrowed the logic used in the LMAP
protocol "DMP" to use a prefix with a split of the domain:
*._SSP.<domain.tld> global answer
_SSP.<domain.tld> main domain answer
[subdomains.]_SSP.<domain.tld> subdomain answer
The only problem that I see with this style is that the client has to be
aware of the zone cuts. It needs knowledge of the gTLD and ccTLDS.
Lets not throw out the baby with the bath water yet.
Hector Santos, CTO
More information about the ietf-dkim