2. Advice about wildcards in TXT records.
Proposed change: Add a note in section 6.1.2 warning about the effect
of wildcard TXT records on finding DKIM key records.
Section 3.6.2.1 currently says:
INFORMATIVE OPERATIONAL NOTE: Wildcard DNS records (e.g.,
*.bar._domainkey.example.com) do not make sense in this context
and should not be used. Note also that wildcards within domains
(e.g., s._domainkey.*.example.com) are not supported by the DNS.
That first sentence is just plain wrong. I have been using wildcard
DNS records of exactly that form for months, and they work fine. I
put a unique selector on each message, and when I get around to it
will extract the DNS lookup info to figure out how many people are
looking at my signatures. This may be morally reprehensible, but it
does make sense.
I suggest we delete the whole note.
Section 6.1.2 says:
NOTE: The use of wildcard TXT records in the DNS will produce a
response to a DKIM query that is unlikely to be valid DKIM key
record. This problem applies to many other types of queries, and
client software that processes DNS responses needs to take this
problem into account.
This is only true if the name of the record doesn't include
_domainkey, so *._domainkey.example.com or
*.foo._domainkey.example.com is OK, but *.example.com is not. So I
suggest we rewrite it as:
NOTE: Wildcard TXT records whose names are not in the _domainkey
subdomain will generally produce a response to a DKIM query that
is not a valid DKIM key record. This problem applies to many
other types of queries, and client software that processes DNS
responses needs to take this problem into account.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html