Jim Fenton wrote:
Hector Santos wrote:
Do the DNS query for the valid ones and fake sub domains, or no
subdomains:
NSLOOKUP -query=txt SUBDOMAINS._ssp.santronics.com
You said it won't work "AT ALL." I would like to know why not?
Every policy I want is defined including eliminating the ABUSE with a
global NOMAIL record.
You're right, that one works.
Now suppose that, instead of santronics.com, you were
santronics.homestead.fl.us (domains of this form do exist). The query
for SUBDOMAINS.santronics.homestead._ssp.fl.us wouldn't yield the
desired result.
Steve overstated his case when he said it would not work at all, but it
does not work in general.
Its amazing how these are perceived here. :-)
Ok, I understand the point about the gTLDs, and ccTLDs now.
I think the main thing that I wanted to extract from this exercise is
that the TXT record layout technique I describe was doable. In other
words, once the query question can be established, the layout of the
wildcard TXT records would satisfy the requirement for sub-domain policies.
I think I accomplish that. Am I still wrong there?
So the issue is now what is the query question or more specifically,
where does the domain ownership begins and can the client understand
what are the gTLDs and/or ccTLDs.
I think we can solve this query question various way:
1) Provide a HINT in the DKIM-signature.
2) Use a Doug suggestion to make it part of the LOOKUP algorithm to
contain a list name space of currently gTLDS and ccTLDs.
3) Less optimal, use a SOA or ANY to where the tlds end and domain
ownership begins. This can be cached so subsequent queries will be more
direct.
4) Provide a discovery record for the full domain.
Also, we have two design requirements to resolve:
- One that satisfies as written requirement that you only
need to look for SSP for failed signatures,
- One that satisfies ALLOWABLE implementations that
can do a SSP lookup at all times.
I think I proved via DSAP that abuse is possible for non-signed messages
abusing a domain. So if one takes the presumption is that a NON-SIGNED
message is an INVALID message, a lookup for SSP will be desirable.
What that means is that option #1 will not work reliable. SSP *should*
not be dependent on having a DKIM-Signature record present.
However, those who believe that SSP is not active unless a
DKIM-Signature is available, then a HINT can be provided on
DKIM-Signature header.
I think that the safest bet is to make SSP independent of the
DKIM-Signature header.
There has got to be a way to resolve that TLD vs domain ownership level
issue. It seems so simple, but it might require some initial two
queries. In lieu of that, Doug Idea sounds like the only real way to
solve this - the client must be aware of the gTLD and ccTLD or there
must be a way to extract this information.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html