On 2010-02-14 19:20, dar...@chaosreigns.com wrote:
On 02/14, Jonas Eckerman wrote:
* I think there should be a way to tell the world wether you are using
the scheme for a domain (not host) or not. This could easily be done in
DNS.
I need to think about this more, thanks for the suggestion. (More on
registrar boundaries below.)
* I think you should follow conventions in DNS naming, using an
underscore to signify that the DNS record is a "special" type of record.
This is quite common.
That's probably a good idea, hmm.
You could use SpamAssassins registrar boundaries stuff for getting the
domain in a SA plugin, and score higher for missing MTX host record if
there is an MTX domain record.
How good is SA's registrar boundaries stuff?
Not sure, but it's used in various places if you use SA, so if it isn't
good that will have effects on SA anyway.
I don't think
"Use SpamAssassin's registrar boundaries" would be good in an RFC.
I only meant that SA's Mail::SpamAssassin::Util::RegistrarBoundaries
could be used for this in an SA plugin.
In the RFC I'd suggest it be specified that domain policy's should be
checked based on domain registry boundaries (but with better wording
than mine).
I don't even know where the record should be for wildlife.state.nh.us.
www.state.nh.us exists, which would indicate mtx.state.nh.us.
Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain returns
"wildlife.state.nh.us" for "wildlife.state.nh.us" (and for
"whatever."wildlife.state.nh.us"), suggesting that a policy record
should be "policy._mtx.wildlife.state.nh.us" or similar.
Wether that makes sense or not, I don't know. It does trim for example
"mail.microsoft.us" to "microsoft.us", so I guess there's a special
reason for it to trim the "state.nh.us" subdomains to more than two levels.
Even if SA's registrar boundaries pointed to mtx.wildlife.state.nh.us,
you'd still need to be able to delegate to another subdomain.
Yes, you'd need that. As I see it, there are two simple ways to do this.
* Make it possible to indicate plicy delegation in the policy record. I
see you thought about this one allready. :-)
* Or, make a MTX checker traverse domain from the one it checks towards
the registry boundary when checking for policy. This means more DNS
lookups but might be easier to administrate. (I have a vague
recollection that DKIM or ADSP works this way... Not sure though)
Or maybe participant._mtx.frukt.org. Giving an A record to the _mtx
subdomain itself seems potentially problematic,
Agreed. And seeing as a hostname should not contain underscore, that
wasn't a very good idea of mine.
Any suggestions other than
"participant"?
"policy" seems better than "participant" to me.
Regards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/
