ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-iab-dns-choices-05 and tree climbing (fwd)

2008-03-02 09:00:37
It also says that DNS tree climbing is always bad.  We might want to
reconsider whether the small amount of tree climbing specified in -03
is worth the hassle it will doubtless cause on the route from final
draft to RFC.

After implementing this, I can say that it seems to be mostly working

I believe that it works to the extent that it covers immediate subdomains 
of the domain for which you're publishing an SSP/ASP record.

The question is whether that small amount of coverage is worth the 
pushback we will certainly get from the IAB when they see the tree 
crawling in our draft.  If bad guys know that foo.cisco.com is covered, 
why won't they just use foo.bar.cisco.com instead?

Also, keep in mind that if you really truly want to cover every possible 
subdomain, it's not out of the question to use a DNS server that 
synthesizes the necessary records on the fly using a different wildcard 
expansion process from BIND.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html