On Dec 1, 2005, at 11:31 AM, Hallam-Baker, Phillip wrote:
A much better way to solve this problem is to introduce a pointer RR
that obeys the semantics of *.example.com or #.example.com the same as
any other non-prefixed pointer. The resolution process for a prefixed
record then becomes :
1) record = resolve ("_prefix.example.com", {TXT, SRV, ...})
if record != null return 'found'
2) pointer = resolve (example.com, PTR)
if record == null return 'not found'
3) record = resolve ("_prefix." + pointer, {TXT, SRV, ...})
if record != null return 'found' else return 'not found'
This scheme also provides an additional management advantage,
instead of
configuring policy for each machine individually I can define
different
policy classes as needed and assign that policy to a particular
machine
by specifying the corresponding pointer, eg:
_dkim.servers.example.com TXT "DKIM policy for servers"
_yaddis.servers.example.com TXT "Policy for YADDIS"
_dkim.desktop.example.com TXT "DKIM policy for desktops"
This approach would create several challenges. With respect to
DNSsec, additional lookups will be required to investigate above the
set of PTR RRs, in addition to obtaining the PTR RRs. Even with
normal DNS, extra sequential DNS lookups amplify the effects of an
embedded reference. When a domain is publishing a large DNS wildcard
record, even when not directly involved in a DDoS, the impact may
still result in filtering by name at the referencing protocol. This
method would be difficult to defend from being abused.
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf