On Sat, May 14, 2016 at 03:44:53AM +0300, Vladimir Dubrovin wrote:
> > > There are situations where this is practically impossible, e.g. wildcard
> > > domains. For example, I want MX to accept mail for *.example.com and
> > > support STS. Having policy.mta-sts.*.example.com can be problematic if
> > > *.example.com already exists as e.g. CNAME.
> >
> > That's actually not a problem, CNAMEs have no effect on sub-trees,
> > so you can have a sub-domain of a CNAME, just not a delegated one:
> >
> > *.example.com. IN CNAME ...
> > foo.*.example.com. IN TXT ...
>
> DNS RFCs only allow wildcards in leftmost position, so
> foo.*.example.com.
> doesn't conform to existing standards and AFAIK this syntax is not
> supported in bind.
This is not true. See this live for example at:
$ dig +noall +ans +nocl +nottl -t a "*.foo.msmuxy.org."
*.foo.msmuxy.org. CNAME mx1.msmuxy.org.
mx1.msmuxy.org. A 38.117.134.19
$ dig +noall +ans +nocl +nottl -t txt "_smtp-sts-policy.*.foo.msmuxy.org."
_smtp-sts-policy.*.foo.msmuxy.org. TXT "This is a test"
The BIND source of the zone file has:
*.foo IN CNAME mx1
_smtp-sts-policy.\*.foo IN TXT "This is a test"
> > > In addition, it can lead to overhead in reporting, because every subdomain
> > > generates it's own report as a separate message.
> >
> > Yes, mail to wildcard sub-domains is mostly a bad idea, and leads
> > to all sorts of problems.
>
> There are public mail servers where users historically were allowed to
> register subdomains to receive mail in addition to mailboxes.
There should be a specific registration of each such domain.
Instead of wildcard MX records, publish explicit MX records for
each such domain, and STS records as necessary.
DANE works better here, because the security data is published with
the MX host, not the nexthop domain, which only needs (DNSSEC
validated) MX records, wildcards are OK.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
