>It would be rather unsafe for the client to "walk up the tree" >looking for STS records in parent domains. Where should it stop? >"com."? What about "name." where there are delegations of the >form "foo.name" and "foo.bar.name"?
This is the issue that the DBOUND working group currently is not solving. The usual advice for situations like these is to use the Mozilla Public Suffix List, which is widely agreed to be the least bad option if that's what you really want to do. We all agree that "least bad" does not mean "good". > *.example.com. IN CNAME ... > foo.*.example.com. IN TXT ... That probably doesn't do what people want, since foo.*.example.com isn't a hostname and isn't a wildcard. DMARC does approximately what has been suggested here, but that's because it's trying to deal with bad guys forging random subdomains. STS is dealing with actual MTAs. Does anyone really use wildcarded domains in incoming mail? I honestly don't know, but I don't think I've ever seen it. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
