I'm not DNS Administrator expert, but I did a small exploration in two
possible ways to deal with sub-domains.
I'm using the DSAP draft syntax to illustrate this
Method one: Multiple TXT records:
_dsap 0 TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
a=rsa-sha256; fa=fail; fx=fail; fs=fail;
_dsap 0 TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
a=rsa-sha256;
_dsap 0 TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
a=rsa-sha256;
_dsap 0 TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
a=rsa-sha256;
_dsap 0 TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;
_dsap 0 TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
3pl=mipassoc.org
Give a domain with any number of subdomains, if any, take the main
domain and preface with _DSAP to do a TXT lookup.
For example: sales.isdgn.net
NSLOOKUP -query=txt _dsap.isdg.net
Non-authoritative answer:
_dsap.isdg.net text =
"v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"
_dsap.isdg.net text =
"v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
3pl=mipassoc.org"
_dsap.isdg.net text =
"v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
a=rsa-sha256; fa=fail; fx=fail; fs=fail;"
In this case, the SD=sales subdomain tag is found to expose the domain
policy.
Method Two: Using Wildcards
In this case, its better to use the ZONE setup for this:
*._ssp 0 TXT "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail;
fs=fail;
_ssp 0 TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
a=rsa-sha256; fa=fail; fx=fail; fs=fail;
corp._ssp 0 TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
a=rsa-sha256;
sales._ssp 0 TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
a=rsa-sha256;
europe._ssp 0 TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always;
3p=never; a=rsa-sha256;
public._ssp 0 TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;
list._ssp 0 TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
3pl=mipassoc.org
In this case, a lookup for sales._ssp.isdg.net will provide the record
we want. If it was missing, then the first record is return.
So a lookup, NSLOOKUP -QUERY=TEXT foobar._ssp.isdg.net will yield:
"v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail; fs=fail;
Which says NO MAIL expected for this domain!
What are the problems with this type of logic?
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html