Hallam-Baker, Phillip wrote:
Why would we use a wildcard?
OK _spf.*.verisign.com would be a bear. The DNS specs do not support
exchange of this type of wildcard expression in zone transfers or (less
relevant) in DNSSEC. I think this is something that should be on the fix
list, not least because of the existing issues caused by NAPTR and SRV in
this respect.
But why would anyone need it?
Some people do send mail with the return address set for their own machine -
phill(_at_)cray5(_dot_)verisign(_dot_)com(_dot_) This is much less common these
days now that mx is
widly implemented. But why would such a machine benefit from a wildcarded
record?
I think it is important to understand this irrespective of the TXT record
issue.
If MARID is restricted to IP based authentication mechanisms then why not
simply look up cray5.verisign.com and resolve it to an IP address?
If we consider an extended spec that has other authentication credentials I
still don't see value in a wildcard.
There are companies that use subdomains for different organizational
units (two good examples of this are microsoft.com and ibm.com). They
might want to protect all of their organizational units with one set of
records instead of setting up records for each subdomain separetly.
Yakov
--
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Some lies are easier to believe than the truth" (Dune)