The underlying problem is that all the proposals look at one
individual RR set at a time.
They have no way of advertising a default policy that
covers an entire zone.
That is a fault of using DNS to begin with. At least, without modifying DNS
software to synthesize "default" records to certain kinds of lookups. DNS is
supposed to respond with NXDOMAIN if a record isn't found.
Now, last I checked, nothing stops a DNS implementation from returning a
"default" record. That's not the same as a wildcard record as wildcard
semantics are clearly defined in RFC 1034 4.3.2. What I'm talking about
could be implementation-specific, for example in BIND 9-speak:
zone "example.com." {
type master;
file "forward/example.com.dns";
if (query == TXT && record == FALSE)
record = (whatever a "deny" is);
};
This wouldn't require a site to use such a DNS server, but it would give
operators using such a capable DNS server an advantage. It also wouldn't
require changing the specs here.
I can see DNS folks cringing now.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>