ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] TXT Subdomain queries

2007-06-05 11:18:43
from [Hector Santos] [Permanent Link]
I'm not DNS Administrator expert, but I did a small exploration in two possible ways to deal with sub-domains. 

I'm using the DSAP draft syntax to illustrate this

Method one:  Multiple TXT records:

_dsap  0   TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
                  a=rsa-sha256; fa=fail; fx=fail; fs=fail;

_dsap  0   TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
                  a=rsa-sha256;

_dsap  0   TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
                  a=rsa-sha256;

_dsap  0   TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
                  a=rsa-sha256;

_dsap  0   TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;

_dsap  0   TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
                  3pl=mipassoc.org
Give a domain with any number of subdomains, if any, take the main domain and preface with _DSAP to do a TXT lookup. 

For example:  sales.isdgn.net

 NSLOOKUP -query=txt _dsap.isdg.net

Non-authoritative answer:

_dsap.isdg.net  text =

        "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"

_dsap.isdg.net  text =

        "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"

_dsap.isdg.net  text =

        "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"

_dsap.isdg.net  text =

        "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
           3pl=mipassoc.org"

_dsap.isdg.net  text =

        "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
           a=rsa-sha256;"

_dsap.isdg.net  text =

        "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
           a=rsa-sha256; fa=fail; fx=fail; fs=fail;"
In this case, the SD=sales subdomain tag is found to expose the domain policy. 

Method Two: Using Wildcards

In this case, its better to use the ZONE setup for this:


*._ssp      0   TXT "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail;
                       fs=fail;

_ssp        0   TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never;
                       a=rsa-sha256; fa=fail; fx=fail; fs=fail;

corp._ssp   0   TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never;
                       a=rsa-sha256;

sales._ssp  0   TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never;
                       a=rsa-sha256;

europe._ssp 0   TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always;
                       3p=never; a=rsa-sha256;

public._ssp 0   TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;

list._ssp   0   TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
                       3pl=mipassoc.org
In this case, a lookup for sales._ssp.isdg.net will provide the record we want. If it was missing, then the first record is return. 

So a lookup,  NSLOOKUP -QUERY=TEXT   foobar._ssp.isdg.net will yield:

    "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail; fs=fail;

Which says NO MAIL expected for this domain!

What are the problems with this type of logic?

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] RE: I think we can punt the hard stuff as out of scope., Hallam-Baker, Phillip
Next by Date:  [ietf-dkim] RE: I think we can punt the hard stuff as out of scope., Hallam-Baker, Phillip
Previous by Thread:  [ietf-dkim] Wildcards and signatures, a moveable feast, Hallam-Baker, Phillip
Next by Thread:  Re: [ietf-dkim] TXT Subdomain queries, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]