ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DNS wildcarding behavior scenarios

2007-06-08 10:34:16
Michael Thomas wrote:

Hi all,

I think that there is a huge amount of confusion about how DNS wildcards
work, and in particular how they might come to bear on the discovery
problem for ssp-requirements, 5.1.4.

Michael, rather than continue this path of trying to tell people how confused they are and that you know better, just show us your results. Honestly, there are alot of SMART people here - we are NOT stupid.

I'm glad you did this similar exercise that I did. I only did so get DNS people to explore how it can be done, and if there certain bottle necks, hiccups, how do we get around it.

Executive summary: Wildcards, either TXT of a new one DO NOT meet this
requirement.

I'm not sure 100% that I agree. Maybe the requiremnent is wrong? If I read your testing right, it is also based on not using a prefix. So maybe that method is not right. Maybe you need to have a cut off.

Case in point:


4) Node which has a valid A record

   fugu$ host -t txt gate.mtcc.com
   gate.mtcc.com has no TXT record

Here, the wildcard ceases to work and the resolver returns
>    an ancount of zero. This case still *must* be handled somehow
>    by SSP.

Right.  This can be handled some way.

6) As it relates to the _domainkey subnode

   fugu$ host -t txt _domainkey.mtcc.com
   _domainkey.mtcc.com has no TXT record

Note again that the wildcard at mtcc.com does not cover
>    this since there are subnodes that bear RR's. This is really
>    another case of 4 but it works even when it's an interior
>    node that bears no RR's at its node.

Right, especially if you have a prefix for the SSP record that is different than the KEY record.

I think the difference with my exercise is that here, you use the entire domain where in my exercise, I borrowed the logic used in the LMAP protocol "DMP" to use a prefix with a split of the domain:

    *._SSP.<domain.tld>                   global answer
    _SSP.<domain.tld>                     main domain answer
    [subdomains.]_SSP.<domain.tld>        subdomain answer

This works!

The only problem that I see with this style is that the client has to be aware of the zone cuts. It needs knowledge of the gTLD and ccTLDS.

Lets not throw out the baby with the bath water yet.


--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html