Hector Santos wrote: > I'm not DNS Administrator expert, but I did a small exploration in two > possible ways to deal with sub-domains. > > I'm using the DSAP draft syntax to illustrate this > > Method one: Multiple TXT records: > > _dsap 0 TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; > a=rsa-sha256; fa=fail; fx=fail; fs=fail; > > _dsap 0 TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; > a=rsa-sha256; > > _dsap 0 TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; > a=rsa-sha256; > > _dsap 0 TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never; > a=rsa-sha256; > > _dsap 0 TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never; > > _dsap 0 TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional; > 3pl=mipassoc.org > > Give a domain with any number of subdomains, if any, take the main > domain and preface with _DSAP to do a TXT lookup. > > For example: sales.isdgn.net > > NSLOOKUP -query=txt _dsap.isdg.net > > Non-authoritative answer: > > _dsap.isdg.net text = > > "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;" > > _dsap.isdg.net text = > > "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;" > > _dsap.isdg.net text = > > "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;" > > _dsap.isdg.net text = > > "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional; > 3pl=mipassoc.org" > > _dsap.isdg.net text = > > "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never; > a=rsa-sha256;" > > _dsap.isdg.net text = > > "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; > a=rsa-sha256; fa=fail; fx=fail; fs=fail;" > > > In this case, the SD=sales subdomain tag is found to expose the domain > policy.
Two issues: When you receive a message from sales.idsg.net, how do you know that the "main" domain is idsg.net? More generally, if you get a message from covington.losaltos.k12.ca.us, what is the "main" domain? Returning a whole bunch of TXT records doesn't scale at all well to large numbers of subdomains. > > Method Two: Using Wildcards > > In this case, its better to use the ZONE setup for this: > > > *._ssp 0 TXT "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail; > fs=fail; > > _ssp 0 TXT "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; > a=rsa-sha256; fa=fail; fx=fail; fs=fail; > > corp._ssp 0 TXT "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; > a=rsa-sha256; > > sales._ssp 0 TXT "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; > a=rsa-sha256; > > europe._ssp 0 TXT "v=dsap1.0; sd=europe.sales; rr=0; op=always; > 3p=never; a=rsa-sha256; > > public._ssp 0 TXT "v=dsap1.0; sd=public; rr=0; op=never; 3p=never; > > list._ssp 0 TXT "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional; > 3pl=mipassoc.org > > > In this case, a lookup for sales._ssp.isdg.net will provide the record > we want. If it was missing, then the first record is return. > > So a lookup, NSLOOKUP -QUERY=TEXT foobar._ssp.isdg.net will yield: > > "v=dsap1.0; rr=0; op=; 3p=; fa=fail; fx=fail; fs=fail; > > Which says NO MAIL expected for this domain! > > What are the problems with this type of logic? Again, the difficulty, if you receive a message from sales.idsg.net, is knowing where to query. Is it sales._ssp.idsg.net, or _ssp.sales.idsg.net? More complex domain names will result in more possibilities. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
