On Mon, Jan 6, 2025 at 4:42 PM Ben Schwartz wrote:
> DNSSEC* makes this clear. Otherwise, I don't believe it is revealed.
>
> --Ben Schwartz
>
> *When using classic offline signing.
>
Yes, classic (pre-computed signature) DNSSEC definitely reveals wildcards.
Online signing may or may not depen
It appears that Brotman, Alex said:
>It was suggested that some additional context may help the conversation a bit.
>
>In the email world, typically a valid A/MX for the 5321.From Domain is
>required for delivery (the envelope sender). Typically, you'll see these as
>"alex_brot...@comcast.com" i
On Jan 7, 2025, at 08:33, Brotman, Alex
wrote:
>
> Coding can be done to discover these, but thought I'd ask if there were
> something inherent in the protocol that could disclose when a wildcard match
> was responsible for the result. Seems like in most cases, there is no such
> mechanism.
It was suggested that some additional context may help the conversation a bit.
In the email world, typically a valid A/MX for the 5321.From Domain is required
for delivery (the envelope sender). Typically, you'll see these as
"alex_brot...@comcast.com" in a valid/good message. There have been
On 7 Jan 2025, at 21:18, Shane Kerr wrote:
> This is a good point! I guess it depends on whether you really, REALLY care
> if the answer is made from a wildcard. Otherwise if the RDATA is the same you
> can safely assume that it was - or might as well be.
I don't think you can even say that th
Ed,
On 07/01/2025 01.09, Edward Lewis wrote:
On Jan 6, 2025, at 17:06, Shane Kerr wrote:
Alex,
On 06/01/2025 22.02, Brotman, Alex wrote:
Looking at something relating to the day job, and I'm curious if there's any
method declared in the IETF world where the query side of the interaction ca
On Jan 6, 2025, at 17:06, Shane Kerr wrote:
>
> Alex,
>
> On 06/01/2025 22.02, Brotman, Alex wrote:
>> Looking at something relating to the day job, and I'm curious if there's any
>> method declared in the IETF world where the query side of the interaction
>> can understand that the response w
Alex,
On 06/01/2025 22.02, Brotman, Alex wrote:
Looking at something relating to the day job, and I'm curious if there's any
method declared in the IETF world where the query side of the interaction can
understand that the response was fulfilled by a wildcard record. I've asked a
few folks,
These are zones I do not control. I assume the recursive I'm using (which does
support DNSSEC) is of no help here.
I'd be happier if everyone would sign, for a bunch of reasons. I'm sure many
would be.
--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast
> -Original Mes
Sign the zone. Wildcard responses are visible in the DNSSEC records. The RRSIG
label count is different and there will be NSEC/NSEC3 records that show whether
the wild card response is valid or not.
--
Mark Andrews
> On 7 Jan 2025, at 08:04, Brotman, Alex
> wrote:
>
> Looking at something
DNSSEC* makes this clear. Otherwise, I don't believe it is revealed.
--Ben Schwartz
*When using classic offline signing.
From: Brotman, Alex
Sent: Monday, January 6, 2025 4:02 PM
To: dnsop@ietf.org
Subject: [DNSOP] Flag for Wildcard Responses
Looking at someth
11 matches
Mail list logo
