>> It also says that DNS tree climbing is always bad. We might want to >> reconsider whether the small amount of tree climbing specified in -03 >> is worth the hassle it will doubtless cause on the route from final >> draft to RFC.
> After implementing this, I can say that it seems to be mostly working I believe that it works to the extent that it covers immediate subdomains of the domain for which you're publishing an SSP/ASP record. The question is whether that small amount of coverage is worth the pushback we will certainly get from the IAB when they see the tree crawling in our draft. If bad guys know that foo.cisco.com is covered, why won't they just use foo.bar.cisco.com instead? Also, keep in mind that if you really truly want to cover every possible subdomain, it's not out of the question to use a DNS server that synthesizes the necessary records on the fly using a different wildcard expansion process from BIND. R's, John _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
