SPF and domain keys
Lets say my domain is foxtrot.com and we have SPF records for the SMTP servers on foxtrot.com. Now lets say I have decided I want to allow alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com to the SPF but If I wanted to also use DomainKeys or DKIM to authenticate alphazulu.com would the keys need to be in foxtrots name or alphazulu? For example, Would I use: _domainkey.foxtrot.com. IN TXT "t=y\; o=~\;" xxx._domainkey.foxtrot.com. IN TXT "k=rsa\; p=xxx or _domainkey.alphazulu.com. IN TXT "t=y\; o=~\;" xxx._domainkey.alphazulu.com. IN TXT "k=rsa\; p=xxx Also, 1) Who generates the keys? Foxtrot or Alphazulu? 2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain? ( I am in a position where I would like to use only keys) 3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding via different external networks
"Your better bet is surely to dump the forwarders and to do your own recursion." It doesn't solve the connectivity issue, but it sounds reasonable in it's own right: I'll have to try it. On Sat, 27 Aug 2016 14:32:09 -0500 /dev/rob0 wrote: > On Sat, Aug 27, 2016 at 02:32:42PM -0400, Paul Kosinski wrote: > > Currently, I forward all outbound DNS via the DSL to the ISP's > > DNS servers. (I have more confidence in the DSL provider not > > interfering with DNS than in Comcast.) > > FWIW, it has been many years since I have dealt with Comcast as a > customer, but I can tell you for sure that Comcast employs some very > clueful DNS experts. > > > However, there have been a couple of cases recently when the DSL > > was not getting beyond their gateway router, which meant that DNS > > would fail, causing much HTTP(S) to fail even though the cable > > network was working quite nicely. > > > > So my question is, is it possible to configure my forwarding BIND > > to have a primary and *secondary* path for sending out DNS queries? > > Your better bet is surely to dump the forwarders and to do your own > recursion. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding via different external networks
"... whatever else you use to failover from the primary to the secondary would automatically ensure BIND resolves too." That's the root of the problem: there is no automatic failover, and providing one is a lot of work. I was hoping there was a simple BIND config option so that BIND itself could fail-over the DNS lookups and solve the immediate problem. On Sat, 27 Aug 2016 23:29:08 -0700 Dave Warren wrote: > On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote: > > So my question is, is it possible to configure my forwarding BIND to > > have a primary and *secondary* path for sending out DNS queries? As > > far as I can tell, the "query-source address" option in named.conf > > only allows one outbound interface to be (implicitly) specified, > > and I don't want to leave the outbound interface unspecified as > > that would defeat monitoring and logging on the specific interface. > > The "forwarders" option *does* allow multiple DNS servers to be > > specified, but that doesn't help if the network path is down. > > > > P.S. I suppose I might try something with policy routing, but that > > was already a nightmare to set up, since I use DSL vs cable based > > on the source and type (e.g. HTTP, SSH) of the traffic rather than > > the more common destination. > > Since you're forwarding anyway, why not forward to a pair of public > servers, 8.8.8.8 and 8.8.4.4, or 4.2.2.1 and 4.2.2.2, and then use > youe routing table or other technique to route traffic for each > destination IP? > > However, since you run BIND, why bother with forwarding queries at > all, I would recommend just resolving without forwarders, in which > case BIND doesn't need any particular connection and whatever else > you use to failover from the primary to the secondary would > automatically ensure BIND resolves too. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding via different external networks
On Sun, Aug 28, 2016, at 19:22, Paul Kosinski wrote: > "... whatever else you use to failover from the primary to the > secondary would automatically ensure BIND resolves too." > > That's the root of the problem: there is no automatic failover, and > providing one is a lot of work. I was hoping there was a simple BIND > config option so that BIND itself could fail-over the DNS lookups and > solve the immediate problem. What is the point of having reliable DNS if your other connectivity doesn't failover? And/or, can't you just switch your DNS over when you do the other failover manually? I run exactly the same configuration here and have been through the ups and downs of the various methods. They're all terrible. :) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF and domain keys
The easiest answer is: Whatever you want. Strictly speaking, alphazulu.com can send mail on behalf of foxtrot.com using a alphazulu.com DKIM selector, and that's perfectly valid under DKIM. However, it won't have DMARC alignment, which is becoming more and more important, so if alignment is relevant, you'll need to use a foxtrot.com selector. tl;dr: Use a foxtrot.com selector unless you simply can't. As for who generates it, it's irrelevant. The sending server will need the private key, your DNS records will contain the public key, but it makes no difference if foxtrot.com creates the keys and delivers them to the appropriate parties, or if alphazulu.com generates generates a private key and provides the alphazulu._domainkey.foxtrot.com record to foxtrot.com. Remember that you can have as many selectors as you want, don't reuse them across trust boundaries (in other words, consider that in the future, foxtrot.com and alphazulu.com may part ways, when that happens, it's ideal if you can remove the selector from your DNS (after a period of time, at least a week), such that alphazulu.com cannot continue to sign mail. It's also ideal if you don't have to update DKIM records elsewhere in your infrastructure. I hope at least some of this makes sense, but if not, ask. DKIM and DMARC are fiddly, and a lot of the DKIM advice out there isn't entirely complete now that DMARC is on the scene and DMARC builds on top of DKIM and SPF. On Sun, Aug 28, 2016, at 16:13, project722 wrote: > Lets say my domain is foxtrot.com and we have SPF records for the SMTP > servers on foxtrot.com. Now lets say I have decided I want to allow > alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com > to the SPF but If I wanted to also use DomainKeys or DKIM to > authenticate alphazulu.com would the keys need to be in foxtrots name > or alphazulu? For example, > Would I use: > > _domainkey.foxtrot.com. IN TXT "t=y\; o=~\;" > xxx._domainkey.foxtrot.com. IN TXT "k=rsa\; > p=xxx > > or > > _domainkey.alphazulu.com. IN TXT > "t=y\; o=~\;" > xxx._domainkey.alphazulu.com. IN TXT "k=rsa\; > p=xxx > > Also, > 1) Who generates the keys? Foxtrot or Alphazulu? > 2) Would I need both SPF and keys or would keys alone be enough to >authenticate the other domain? ( I am in a position where I would >like to use only keys) > 3) Which one is better to use in terms of provider checking? For >example, are providers even checking keys as much as they are SPF? > > _ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
