Re: Wildcards - Downgrade HOLD to SELL

David,

At 09:30 AM 5/6/2005, you wrote:
> DNS wildcards are a dangerous feature with very little benefit.  For a 
> good discussion of the dangers, see 
> <http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html>http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html 
> - IAB Commentary: Architectural Concerns on the Use of DNS 
> Wildcards.   The sole benefit appears to be a smaller zone file.  Hand 
> editing should not be a problem.  Even if a domain has hundreds of MX 
> records, and those records need to be identical, and they need to be 
> frequently changed, then they may have to invest in a text editor with a 
> search-and-replace function. :>)
With all respect, your opening statement seems rather bold for someone who 
has admitted to not being immersed in DNS all that long.  To paraphrase the 
article to which you point, if one wants to implement, one may freely go 
ahead with a full understanding of the implementation issues.  The author's 
reasonable cautions are based upon consequences of not paying attention to 
implementation issues, rather than making any blanket recommendation that 
people not use the wildcard facility in DNS.
IMHO, your observations are completely off base regarding DNS 
wildcards.  If used properly and managed properly there are very useful 
applications with which this feature can be used.  There are other security 
uses about which I shall not go into detail here.
> Wildcard MX records pose a serious problem with common user errors, like 
> misspelled email addresses.  Instead of a simple bounce message, which 
> users will expect, the mail could go to the wrong party.  If someone sends 
> an email with a typo to <mailto:me(_at_)mycopany(_dot_)gain(_dot_)com>me(_at_)myconpany(_dot_)tld, and 
> .tld has an MX wildcard catching all misspelled names, it could go to some 
> employee at .tld, who might sell it to the plaintiff's lawyer!!
When you discuss misrouted mail from a typo, that sort of thing certainly 
happens every day, but frequently it has nothing to do with DNS operation 
or any misperceived failing on the part of DNS.  If anyone types an 
address, they should reasonably expect that it gets delivered to the domain 
it is sent to and may be read by the recipient, no matter who you send 
to.  I think you are trying to fix the wrong protocol service here.  Rather 
I think that this is far more a problem of user stick error from left side 
of the @ sign typos or perhaps certain badly thought out SMTP 
implementations or network designs.
> It seems that some top-level-domains are actually using wildcard A and MX 
> records without the consent of their delegated domains!  See the link 
> above.  I can understand their wanting wildcard A records.  That allows 
> them to cut ahead of Microsoft and Melbourne IT in offering registration 
> services for new domain names, but why MX?  What the hell do they want 
> with emails intended for someone else?
Have you ever managed DNS for a network or for that matter experienced the 
joys of general network operations and security in a business 
environment?  Please don't presume on how others operate their networks in 
the course of doing proper and responsible business.  They may indeed have 
very specific and justifiable reasons for implementing with DNS wildcards.
> I think we need to use stronger language in the draft.  Here is my 
> recommended revision:
> 3.1.5  Wildcard Records
>
>    Use of wildcard records is not recommended
>    in any zone file with SPF records.  If a zone file has
>    wildcard MX records, it may need to publish wildcard SPF records with
>    similar structure.  In particular, the SPF records
>    must be repeated for any host that has any RR records at
>    all, and for subdomains thereof.  For example, the example given in
>    [RFC1034], Section 4.3.3, could be extended with:
>
>        X.COM.          MX      10      A.X.COM
>        X.COM.          TXT     "v=spf1 a:A.X.COM -all"
>
>        *.X.COM.        MX      10      A.X.COM
>        *.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
>
>        A.X.COM.        A       1.2.3.4
>        A.X.COM.        MX      10      A.X.COM
>        A.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
>
>        *.A.X.COM.      MX      10      A.X.COM
>        *.A.X.COM.      TXT     "v=spf1 a:A.X.COM -all"
>
>    Notice that SPF records must be repeated twice for every name within
>    the domain: Once for the name, and once for a wildcard to cover the
>    tree under the name.
>
>    Use of wildcards is discouraged in general as they cause every name
>    under the domain to exist and queries against arbitrary names will
>    never return RCODE 3 (Name Error).  For more on the dangers of wildcards
>    see [IAB].
NO.  For one thing, you are using wildcards in an example immediately after 
specifically stating that SPF implementations should not use them.
More importantly, I think that it is not the place of SPF to presume on how 
another specification should operate.  I am a big proponent of SPF, but if 
through the SPF spec, you plan to tell me how to run my DNS servers (other 
than how to implement an additional valuable feature such as protecting my 
domains from identity theft), by telling me accepted and appropriate uses 
of DNS wildcards is or may somehow become incompatible with SPF, it might 
be time to start looking at another solution to domain name identity theft.
I'm not going to do that.  Properly implemented SPF works and it works with 
or without DNS wildcards.
I think that the idea behind this group is to encourage adoption of SPF, 
rather than to turn off potential publishers and other adopters by making 
demands that are inconsistent with legitimate business practices and uses 
of DNS.  There is nothing wrong with DNS, please stop trying to seemingly 
promote views on this list that somehow DNS itself is broken or at least 
seriously flawed.
Given who stewards and who holds responsibility for the largest deployment 
of DNS code on the planet, feel certain that DNS has generally worked well, 
is working well and arguably will work well into the foreseeable 
future.  Too much infrastructure relies on DNS for any other 
outcome.  Consider that a successful DNS attack is real news and receiving 
spam is generally not considered news.
Paradoxically, even as a support of SPF, I look forward to the day when an 
article is published about an SPF exploit, because it will signal that SPF 
has actually grown to become so widely adopted that such an article is 
indeed worthy of news.  I think our job now is to make SPF strong enough 
that such a future exploit is limited and can be worked around and / or 
repaired quickly.
> 13.2 Informative References
> <add>
> [IAB] 
> <http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html>http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html 
> - "IAB
>         Commentary: Architectural Concerns on the Use of DNS Wildcards", 
> Sept 2003.
> </add>
Do RFCs point to URLs, which may or may not exist over time?  I'm not sure 
how many RFCs point to web pages, but given the dynamics of the Internet in 
general and web site design specifically, this is probably a very bad 
idea.  Pointing to physically published works in attribution seems far more 
sensible.
> --
> Dave
> ************************************************************     *
> * David MacQuigg, PhD      email:  dmquigg-spf at yahoo.com      *  *
> * IC Design Engineer            phone:  USA 520-721-4583      *  *  *
> * Analog Design Methodologies                                 *  *  *
> *                                   9320 East Mikelyn Lane     * * *
> * VRS Consulting, P.C.              Tucson, Arizona 85710        *
> ************************************************************     *
David, I am sorry if my tone appears strong because I still think that your 
heart is in the right place, but please don't attempt to break a whole lot 
of established and working infrastructure unless you have found a specific 
hole that absolutely warrants it.
Even then, go back to the creators of the service in question and see if 
that hole can be plugged without destroying parts of the infrastructure 
that have real and legitimate uses.  When you do, be very sure of what you 
ask and its global implications.  Should you not, this response will seem 
quite kind and gentle in comparison with what you will likely receive from 
those creators, who are saddled with the ultimate burden of responsibility 
for the choices they make in their implementations.  The choices those core 
service creators make hold enormous global repercussions for everyone on 
the Internet and they rightly take that responsibility very 
seriously.  They allow DNS wildcards for a reason.
Best,

Alan Maitland
WebMaster(_at_)Commerco(_dot_)Net
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/