I don't quite understand the point here.
Why do you think it is necessary to define a signing policy for a node that
does not exist and does not therefore send mail?
You certainly need to define a signature policy but its not a signing policy.
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael Thomas
Sent: Friday, June 08, 2007 12:26 PM
To: IETF-DKIM
Subject: [ietf-dkim] DNS wildcarding behavior scenarios
Hi all,
I think that there is a huge amount of confusion about how
DNS wildcards work, and in particular how they might come to
bear on the discovery problem for ssp-requirements, 5.1.4.
Executive summary: Wildcards, either TXT of a new one DO NOT
meet this requirement.
Here is the proof using my own zone (using bind 9.3):
0) Pertinent Parts of my Zone:
mtcc.com. IN TXT "v=spf1 a mx include:cisco.com
include:volcano.net ~
all"
mtcc.com.*. IN TXT "v=spf1 a mx include:cisco.com
include:volcano.net ~
all"
gate IN A 64.142.29.1
alltheway.kirkwood._domainkey.mtcc.com. 3600 IN TXT
"v=DKIM1;
k=rsa; g=*; s
=email; t=y; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo0kNKsffbCSZ8mqsaApvPYyDzRf
GYXZBmg4VhvugbQ4wYrZXMGn9m/V7XJxKpJj9cHE2VHUemZUPlOto8FgerCrQM
aQC0tHgBw0DRjFCurMtS+4
EOfXcjn5LQ308BmVr2lUwl7QHuIFBE9Ls/66xld4AJxLrb9+"
"yeTIAUZdX7WwIDAQAB;"
1) Top level query
fugu$ host -t txt mtcc.com
mtcc.com descriptive text "v=spf1 a mx include:cisco.com
include:volcano.net ~all"
As you would expect: the exact match worked.
2) Query for nonexistent node adjacent to top level
fugu$ host -t txt asdfasd.mtcc.com
asdfasd.mtcc.com descriptive text "v=spf1 a mx
include:cisco.com include:volcano.net ~all"
This works as expected because of the top level wildcard.
3) Query for nonexistent node arbitrarily far from the top node
fugu$ host -t txt asdfsdf.asdf.mtcc.com
asdfsdf.asdf.mtcc.com descriptive text "v=spf1 a mx
include:cisco.com include:volcano.net ~all"
This works as you'd expect since there is a clear line to the top
of the wildcard.
4) Node which has a valid A record
fugu$ host -t txt gate.mtcc.com
gate.mtcc.com has no TXT record
Here, the wildcard ceases to work and the resolver
returns an ancount of zero.
This case still *must* be handled somehow by SSP.
5) Subnode from a valid non-TXT bearing node
fugu$ host -t txt asdfsdf.gate.mtcc.com
Host asdfsdf.gate.mtcc.com not found: 3(NXDOMAIN)
Here it returns NXDOMAIN. This the behavior you expect if
there wasn't
the *.mtcc.com wildcard.
6) As it relates to the _domainkey subnode
fugu$ host -t txt _domainkey.mtcc.com
_domainkey.mtcc.com has no TXT record
Note again that the wildcard at mtcc.com does not cover
this since there are
subnodes that bear RR's. This is really another case of 4
but it works even
when it's an interior node that bears no RR's at its node.
7) A TXT record that overrides the top level wildcard
fugu$ host -t txt alltheway.kirkwood._domainkey.mtcc.com
alltheway.kirkwood._domainkey.mtcc.com descriptive text
"v=DKIM1\; k=rsa\; g=*\; s=email\; t=y\; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo0kNKsffbCSZ8mqsaApv
PYyDzRfGYXZBmg4VhvugbQ4wYrZXMGn9m/V7XJxKpJj9cHE2VHUemZUPlOto8F
gerCrQMaQC0tHgBw0DRjFCurMtS+4EOfXcjn5LQ308BmVr2lUwl7QHuIFBE9Ls
/66xld4AJxLrb9+"
"yeTIAUZdX7WwIDAQAB\;"
Note that here, we can take the place of the top level wildcard by
simply putting a TXT record in. This is true of any place we might
want to put a TXT record.
8) Subnodes of valid TXT nodes
fugu$ host -t txt asdf.alltheway.kirkwood._domainkey.mtcc.com
Host asdf.alltheway.kirkwood._domainkey.mtcc.com not
found: 3(NXDOMAIN)
This is nothing more than case 5 again.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html