[ietf-dkim] wildcards, draft-ietf-dkim-rfc4871bis-03 submitted
wietse at porcupine.org
Thu Feb 17 05:42:04 PST 2011
> >> 2. Advice about wildcards in TXT records.
> >> Proposed change: Add a note in section 6.1.2 warning about the effect
> >> of wildcard TXT records on finding DKIM key records.
> Section 184.108.40.206 currently says:
> INFORMATIVE OPERATIONAL NOTE: Wildcard DNS records (e.g.,
> *.bar._domainkey.example.com) do not make sense in this context
> and should not be used. Note also that wildcards within domains
> (e.g., s._domainkey.*.example.com) are not supported by the DNS.
> That first sentence is just plain wrong. I have been using wildcard
> DNS records of exactly that form for months, and they work fine. I
> put a unique selector on each message, and when I get around to it
> will extract the DNS lookup info to figure out how many people are
> looking at my signatures. This may be morally reprehensible, but it
> does make sense.
> I suggest we delete the whole note.
I suggest replacing this with the replacement 6.1.2 text proposed
below, but I would not object to John's proposed changes either.
So that's a +1 from me.
> Section 6.1.2 says:
> NOTE: The use of wildcard TXT records in the DNS will produce a
> response to a DKIM query that is unlikely to be valid DKIM key
> record. This problem applies to many other types of queries, and
> client software that processes DNS responses needs to take this
> problem into account.
> This is only true if the name of the record doesn't include
> _domainkey, so *._domainkey.example.com or
> *.foo._domainkey.example.com is OK, but *.example.com is not. So I
> suggest we rewrite it as:
> NOTE: Wildcard TXT records whose names are not in the _domainkey
> subdomain will generally produce a response to a DKIM query that
> is not a valid DKIM key record. This problem applies to many
> other types of queries, and client software that processes DNS
> responses needs to take this problem into account.
> John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. http://jl.ly
> NOTE WELL: This list operates according to
More information about the ietf-dkim