Michael Thomas wrote:
Hi all,
I think that there is a huge amount of confusion about how DNS wildcards
work, and in particular how they might come to bear on the discovery
problem for ssp-requirements, 5.1.4.
Michael, rather than continue this path of trying to tell people how
confused they are and that you know better, just show us your results.
Honestly, there are alot of SMART people here - we are NOT stupid.
I'm glad you did this similar exercise that I did. I only did so get
DNS people to explore how it can be done, and if there certain bottle
necks, hiccups, how do we get around it.
Executive summary: Wildcards, either TXT of a new one DO NOT meet this
requirement.
I'm not sure 100% that I agree. Maybe the requiremnent is wrong? If I
read your testing right, it is also based on not using a prefix. So
maybe that method is not right. Maybe you need to have a cut off.
Case in point:
4) Node which has a valid A record
fugu$ host -t txt gate.mtcc.com
gate.mtcc.com has no TXT record
Here, the wildcard ceases to work and the resolver returns
> an ancount of zero. This case still *must* be handled somehow
> by SSP.
Right. This can be handled some way.
6) As it relates to the _domainkey subnode
fugu$ host -t txt _domainkey.mtcc.com
_domainkey.mtcc.com has no TXT record
Note again that the wildcard at mtcc.com does not cover
> this since there are subnodes that bear RR's. This is really
> another case of 4 but it works even when it's an interior
> node that bears no RR's at its node.
Right, especially if you have a prefix for the SSP record that is
different than the KEY record.
I think the difference with my exercise is that here, you use the entire
domain where in my exercise, I borrowed the logic used in the LMAP
protocol "DMP" to use a prefix with a split of the domain:
*._SSP.<domain.tld> global answer
_SSP.<domain.tld> main domain answer
[subdomains.]_SSP.<domain.tld> subdomain answer
This works!
The only problem that I see with this style is that the client has to be
aware of the zone cuts. It needs knowledge of the gTLD and ccTLDS.
Lets not throw out the baby with the bath water yet.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html