On Sat, 2007-06-02 at 14:51 -0700, Steve Atkins wrote: > On Jun 2, 2007, at 2:37 PM, John Levine wrote:
> > We've gone around this enough times that I think that if there were a > > reasonable way to do wildcards with TXT records, we'd have stumbled > > across it by now. > > If you exclude "fix the authoritative server" as an option, then > there isn't a reasonable way to do so. That's a reasonable > exclusion in general. > > But... if the only problem is wildcard records, and only a small > number of senders are going to want to use wildcards with > SSP then the obvious engineering solution is to have those > small numbers of senders upgrade their DNS infrastructure, > rather than wait for the far larger number of potential recipients > to upgrade their infrastructure. > > And, from what I'm hearing, those who are motivated to use > SSP at all are mostly senders. Having those with the motivation > be the ones who need to do the infrastructure upgrades > would likely speed deployment. (But so would having a > shiny new RR that's well designed and has desirable uses > outside the grubby little niche that is SSP.) By excluding wildcard MX records in those domains being phished or spoofed, the logic is rather simple. When there is an MX record for the email-address domain in question, then there MUST be a policy record, or policy does not matter. Enforcement of policy does NOT require wildcards! Simply the MX record MUST NOT use wildcard MXs when policy matters. Wildcards create other risks. Avoiding wildcard DNS records is a far safer course of action. Conditioning use of non-wildcard MX records eliminates any need to introduce new RRs. One simple policy record using a prefix (hopefully a hash of an associated domain) would be completely adequate. This also provides a simple means to solve the next set of problems: a) replay abuse, b) broken bounce messages. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
