Side note: what's the best way to test that a given domain has DKIM
records? Since I do not know the selectors (and since there is no way
to get the list of them), querying ANY for _domainkey.$DOMAIN (and
checking there is no NXDOMAIN) seemed a good idea.
Basically, you can't unless you happen to see mail from the domain and
snag the key record.
I'd suggest doing a lookup for A for _domainkey.$DOMAIN, and if you get
NOERROR (that is, 0 records but no error code), then check *.$DOMAIN. If
the latter gives you NXDOMAIN, that's a pretty strong hint that there's
something real under _domainkey. If you get an A record for
_domainkey.$DOMAIN, that's an almost sure indication that you've hit a
wildcard, but if you want you can still check *.$DOMAIN to see if it might
instead be severe misconfiguration.
ANY queries probably won't do what you want, since your cache will return
whatever it happens to have for that name, which may or may not be all of
what the authoritative server has.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html