Thanks for this. I think we'd decided this wouldn't work (along with JISC, who
currently run the authoritative DNS for gov.uk). For the life of me, I can't
remember why though!
It's worth reading RFC 4592, a fairly dense description of how DNS
wildcards work, to be clear about what names *.gov.uk wil match and what
they won't so you know what to expect. People even within the IETF can
find them confusing.
R's,
John
We'll have another look at it after the holidays. We have every intention of
making delegates responsible for doing something sensible in their namespace as
well.
Thanks again.
Ta.
I.
--
Dr Ian Levy
Technical Director
National Cyber Security Centre
Staff Officer : Kate Atkins, [email protected]
-----Original Message-----
From: John R Levine [mailto:[email protected]]
Sent: 20 December 2017 17:58
To: Kurt Andersen (b) <[email protected]>
Cc: Ian Levy <[email protected]>; [email protected]
Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains
On Wed, 20 Dec 2017, Kurt Andersen (b) wrote:
I need to be able to emulate in some way the effect of SPF and DMARC
records for non-existent first level subdomains under the PSL gov.uk
- to stop spoof mail apparently coming from them being delivered.
I'm quite sure that you will need to do this via synthetic records
being returned either by the gov.uk name servers or by having gov.uk
refer to a general "parked domain" name server (farm) for all of the
non-existent subdomains ...
With your current DNS setup, you could add this, no new name servers
needed:
*.gov.uk. IN TXT "v=spf1 -all"
*.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:<something>;
ruf=mailto:<something>"
This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and
abc.def.gov.uk. It won't cover names under existing subdomains, e.g.
abc.mod.gov.uk but it's better than nothing.
Unless the people who host your DNS are willing to let you use customized stunt
servers, which seems unlikely considering who they are, that's about the best
you can do without getting the cooperation of your delegatees.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the
environment before reading this e-mail.
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl.ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cbd63e2124c974606c8a808d547d33b16%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636493894920036818&sdata=iUTep54zAORBtIwqsMU%2BjEg51F%2FhxgAEPX%2BXl9IEfmU%3D&reserved=0
This information is exempt under the Freedom of Information Act 2000 (FOIA) and
may be exempt under other UK information legislation. Refer any FOIA queries to
[email protected]
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
