In <a06020428bcdd0b030511(_at_)[192(_dot_)168(_dot_)1(_dot_)100]> Edward Lewis
<edlewis(_at_)arin(_dot_)net> writes:
PS - I'm still catching up on the thread, but I have to say that
wouldn't all this go away with a new RR type? The new RR type could
then be used at an explicit name or in a wild card record. The whole
issue of prefixing names, looking around the tree, etc., dissipates.
Well, I think there is more than one "issue".
There is the issue of how to deal with domains that have wild-card MX
records. There is the issue(?) of the use of a subdomain like
_marid.domain.tld causing problems with other wildcard usage. (This
issue may just be a misunderstanding on my part.) Finally, there is
the issue of how to create a MARID record such that it covers all of
the (appropriate) subdomains.
It is the MARID coverage issue that is "solved" by looking around the
DNS tree. The problem is that example.com may be the only place that
is legitimately in email addresses for example.com, but we still have
to deal with spammers/phishers sending email claiming to be from
www.example.com, or 222.111.33.4.adsl.pool7.dept.example.co.uk.
My suggestion for quite a while has been to have a default SPF (MARID)
record at the zone cut level. In most cases, this would require at
most two lookups, and it would likely only require the second lookup
when someone is misusing a domain name. Others have suggested walking
up the DNS tree, but it is really hard to tell when it is appropriate
to stop looking.
I *think* there has also been some ideas of maybe being able to use
appropriately structured part DNS tree so that a wild card could
protect the entire domain. (This may be just another misunderstanding
on my part though. I can't see how it could work.)
-wayne