Barry Leiba wrote:
On Thu, Oct 14, 2010 at 12:45 AM, SM <sm(_at_)resistor(_dot_)net> wrote:
At 17:31 13-10-10, Hector Santos wrote:
My proposal to add more informative notes to help minimize this for
the systems with the lack of DNS admin expertise on board. In
particular for those with currently one existing need for a TXT record
and that is SPF and incorrectly believe since its a TXT record, adding
the DKIM public key data to it will work.
There is an assumption that people managing DNS zones will have a
basic understanding of DNS. �I don't think that the DKIM
specification should get into badly designed GUIs.
I agree, more generally, that the DKIM spec can't tell people the
right way to manage their DNS records. DKIM already separates its TXT
records with the "_domainkey" identifier, as SPF does with _spf. If,
given that separation, people still merge the TXT records and whatnot,
that problem's well beyond the scope of our work to fix.
I appreciate the desire to put more information in there to help, but
we really can't be writing a tutorial on managing DNS records.
I know you realize I was not advocating information on managing DNS
records.
But what happen today, is further evidence that even DNS
administrators or software developers who are asked to write a
WEB-BASED manager for their service to support SPF and now DKIM, are
not aware of how mixing it is can be in conflict.
All I ask is that possible a simple statement or sentence in that
short section provide some insight regarding not mixing it up with
other TXT records and that wildcards should not be used for other TXT
records because this can fail the DKIM public key lookup.
In this case, a customer is using Network Solutions and in their add
TXT record, it doesn't allow a blank sub domain. The only way to do
it is to have a
subdomain: "* (ALL OTHERS)"
domain: .xyz.com
value: v=spf1 .............
Clearly, this a software bug and the customer called NS about how to
get a non-wildcard SPF record because it was interfering with their
new DKIM public and ADSP records setup. NS's (first level support)
answer was (erroneous) - "not possible. It doesn't work that way."
So sure, this has to be fixed by NS, but what I am saying is that ISP
people will also be reading the specs too perhaps to see what is
required to implement Web-based DNS Records Management tools with DKIM
and SPF support and what I am proposing is helpful insight on the
design guidelines that would avoid conflicts.
BTW, the customer (a government newsletter bulk spammer) had to delete
his SPF record to get our DKIM implementation running with verifiable
signatures. With the conflict, they were getting dkim invalid
signatures with selector DNS errors.
I'm sure they will be many customers who may not want to delete their
SPF record in order to get DKIM working. So my suggestion is to help
avoid these potential conflicts.
It is not about going deep into DNS management issues. Just the basic
DKIM public key integration issues with existing TXT records.
If you don't think that is possible, ok. I think it is, but... :)
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html