--- Andrew Newton <andy(_at_)hxr(_dot_)us> wrote:
I've noticed that quite a few domains sporting DK policy records
have a syntax that isn't quite what is specified in Appendix A of the
draft. A classic example is yahoo.com:
$ dig _domainkey.yahoo.com txt
_domainkey.yahoo.com. 7200 IN TXT "t=y\; o=~\; n=http://
I'm talking about the tag/value termination with "\;" ( slash
followed by semicolon ).
And it seems quite pervasive. Of 324 domains I have found with DK
policy records, 257 of them do this exact same thing.
What you're experiencing is a side-effect of the dig command. The actual TXT
records do not contain the backslash, rather dig is inserting them because...
well, I actually have no clue why it's inserting them as part of the render,
but it's probably an escape mechanism related to named config syntax.
Try using a non-bind command to query the DNS and see what you get.
As a side note: it would be nice if future versions of DK would have
a simple identifier marking the TXT as a DK record. I have found 3
times as many SPF records with _domainkey prefixes than actual DK
records. I would think v=dk1; would work and be compatible with the
current syntax. Of course, with a dedicated record type this is not
Right. You are probably actually experiencing folk who are putting wild-card
TXT entries in their zones.