There are two sets of concerns here.
First there is how to achieve the administrative effect desired.
Second there is how to work with DNSSEC without requiring changes.
Administrative wildcards are part of the DNS configuration file and NOT the DNS
zone file that is transported by AXFR or whatever. If you are using DNSSEC you
are in any case going to be using some form of tool to sign your zone.
Expansion of administrative wildcards happens before the DNSSEC signature
records are created.
In general if you are editing a file with the signature records in it you are
probably doing something ill advised anyway.
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of
william(at)elan.net
Sent: Saturday, June 02, 2007 8:17 PM
To: Steve Atkins
Cc: Untitled WG
Subject: Re: [ietf-dkim] TXT wildcards SSP issues
On Sat, 2 Jun 2007, Steve Atkins wrote:
The problem is that you've just spec'ed SSP to use a
protocol that is
not DNS. It's fairly similar to DNS, but it's not DNS. I can't
imagine the IESG accepting that in a standards track document.
No, it's perfectly compliant DNS. Really, it is.
It's not bind, though, and there's a fairly common fallacy at IESG,
amongst other places, that DNS is "what bind does" rather than
vice-versa. So, yeah, you're right about the standards
document issue
(were it me, I'd just spec TXT records and not mention wildcards at
all).
I have a dns server that'll do internal wildcard records
today (as do
you, IIRC). The information it uses to do that will not transfer
correctly over AXFR - but who, other than some subset of
bind users,
uses AXFR to maintain their secondaries, anyway? :)
If it was just AXFR all would be great. But in order to do
DNSSEC it is in fact necessary for servers to know how to
process wildcards and that means any local wildcard-like
MACROs have to be part of the spec.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html