ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] protecting domains that don't exist

2008-04-16 07:09:32
from [ned+dkim] [Permanent Link] 
Now, I have no idea what limits were placed on this capability by 
provisioning
systems. What I do know is that several customers used this feature to 
create
very large numbers of subdomains. (I know this because this particular usage
exposed several bugs.)

Another thing that's surprisingly common is for sites to have very large
numbers of explicitly configured domains and subdomains - like on the order 
of
tens of thousands.



Gee, some actual real life experience -- how refreshing!


Well, sort of. Our perspective on this is somewhat limited: We get told about
stuff when there's a problem. Customers as a rule don't ccntact us and say,
"This is all working great, here's all of the stuff we did". It's more like,
"Help! We did such and such and now the machine room is on fire! Help us put it
out!"


Let's assume for the purposes of argument that such a site wants to use
DKIM and ADSP.  Presumably there's some set of tools to manage the DNS for
the umpteen thousand subdomains.


I assume there is, but it isn't something we provide. (I've actually argued
that it would make sense for us to provide such a tool, possibly deriving DNS
information from what's already in LDAP, but I've gotten no traction on
developing such a thing.) 

The thought of doing  it all by manually editing BIND zone files is too
horrible to contemplate, isn't it?


Hypothesis A: They'll update the tools to create matching ADSP and perhaps
DKIM key records for the domains they use, so clients can just check the
ADSP for whatever domain is on the From: line.



Hypothesis B: The tools can't do it, they'll only be able to stick in a
few hand-crafted DKIM key and ADSP records for upper level domains, so
ADSP clients checking lower level subdomains will have to look around the
tree and find those records.



The current ADSP draft is written with an eye toward B, but it seems to me
that A is at least as likely.  What does your experience suggest?


Sorry, this is one where I just don't know the answer. I'll fire off a message
to our internal support list and see what, if anything, other people here
know about DNS provisioning.

                                Ned
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] protecting domains that don't exist, John Levine
Next by Date:  Re: [ietf-dkim] protecting domains that don't exist, ned+dkim
Previous by Thread:  Re: [ietf-dkim] protecting domains that don't exist, John Levine
Next by Thread:  [ietf-dkim] getting new features without updating old software (was RE: protecting domains that don't exist), J D Falk
Indexes:  [Date] [Thread] [Top] [All Lists]