ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues

2007-06-07 01:42:13
from [Hector Santos] [Permanent Link] 
Steve Atkins wrote:
This is a single lookup by the client, no traversal, 
>> no loop, required.


Your reasoning is unclear to me.

Given the domain a.b.c.d.e.f.g.h.i.j.k.foo, please explain what
single DNS query you would make and what answer you would
expect to receive.


The single DNS query syntax would be:

    a.b.c.d.e.f.g.h.i.j.k._ssp.foo
The result will depend on what this organization is going to define for policies at each level.
Practically speaking I can't imagine anyone using such a long set of subdomains for email, but nevertheless, it will naturally need to be part of the equation.
For the sake of simplicity, lets cut that down to a.b.c.d.foo.com, and lets use a well understood tld, .com, just so we can make sense out of it, but of course, it can be any valid TLD. 

Again, it depends on what a company wishes for policies.

Example #1:
A company may want a I ALWAYS SIGN ALL DOMAINS, with NEVER exceptions after the b.c.d.foo.com subdomains: 

    *._SSP              0  TXT   policy=ALWAYS
    *.b.c.d._SSP        0  TXT   policy=NEVER

Example #2:

A company may want a global NOMAIL, with exceptions:

    *._SSP              0  TXT   policy=NOMAIL
    _SSP                0  TXT   policy=ALWAYS
    *.d._SSP            0  TXT   policy=NEVER
    d._SSP              0  TXT   policy=OPTIONAL
    c.d._SSP            0  TXT   policy=ALWAYS
    b.c.d._SSP          0  TXT   policy=OPTIONAL
    *.b.c.d._SSP        0  TXT   policy=NEVER

The client need only to do 1 query for the specific email domain provided.
Lets try some real test example queries for example #2 domain polices using the isdg.net domain: 

email: isdg.net

        query --> _ssp.isdg.net
        This will return the ALWAYS policy (2nd record)

email: z.isdg.net

        query --> z._ssp.isdg.net
        This will return the NOMAIL policy (1st record)

email: d.isdg.net

        query --> d._ssp.isdg.net
        This will return the OPTIONAL policy (4th record)

email: q.d.foo.com

        query --> q.d._ssp.foo.com
        This will return the NEVER policy (3rd record)
Again, it all depends on what you want and it seems that by using this syntax, unless I'm missing something, it works. The DKIM DNS ADMIN with the help of some fancy tool, he will be able to create complex policy records.
Finally, I think if DNS server can't handle the sub-domain "unions" of policies, then we should move to a syntax on the TXT record itself where a more robust wildcard masking can be done by the client. 

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, Jim Fenton
Next by Date:  Re: [ietf-dkim] TXT Subdomain queries, Hector Santos
Previous by Thread:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, Steve Atkins
Next by Thread:  Re: MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]