ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: New issue: Upward query vs. wildcard publication

2007-04-18 07:36:00


Jim Fenton wrote:
I don't remember offhand how CSV did this.

From the specification at <http://mipassoc.org/csv>:

If a domain administrator declares an assertion about all names
within a domain, the appropriate bit MUST be set in the Port field of
the CSV-CSA record at the root of the domain for which the assertion
applies, and MAY be repeated at subdomains of that domain. The
Explicit bit applies to a domain and all its subdomains. If it is
repeated in a subdomain it has no effect on the semantics, but it
might cause a search to stop sooner.

Domain administrators SHOULD publish records with such assertions in
the port field at a level no deeper than sixth-level domains, such as


"_client._smtp.sixth.fifth.fourth.third.second.com"

since receivers are expected to search no deeper than that, and will
most likely not find records published for seventh-level or deeper.
(Receivers will, of course, still query for the weight field at the
exact level of the EHLO string.)



The key to making this scheme work is that the domain name must exist. Bad actors cannot use a non-existent name. Hence, the owner of the root for the organization's domain name (e.g., example.com) can know where to place these marker records, below the organization's root.

This approach is, of course, a royal pain, but our feeling was that the effort was tractable, within the confines of using an existing record. For CSV, the SRV record was specified.

Things change considerable if a new RR is used, since regular DNS wildcards come back into consideration.

d/
--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html