On Wed, Jan 13, 2016 at 05:41:09AM -0000, John Levine wrote:
> I admire the faith you have in DNS operators, but find it baffling.
> For a lot of the ones I know, their heads would explode at having to
> mix TXT SPF records for the incoming mail and TLSA for the outgoing
> mail at the same names in the same zone files. They'd probably try
> to kludge it with CNAME and break everything.
The TXT SPF records will be a the zone apex. The _smtp-client (or
just _smtp) prefix will be for each client MTA! There's little
opportunity for collisions, except at domains with just a single
node at the zone apex holding all the records and not even using
a hostname under the domain for outgoing connections as a mail
client. If that domain operator needs CNAMES for the client
TLSA record (to where???) they can create a suitable sub-domain
for the client name.
; zone apex MX record
example.com. IN MX 0 smtp.example.com.
; zone apex SPF record
_spf.example.com. IN TXT ...
; MX host A record
smtp.example.com. IN A 192.0.2.1[
; SMTP client
_smtp.smtp.example.com. IN TLSA 3 1 1 ...
; SMTP server
_25._tcp.smtp.example.com. IN CNAME _smtp.smtp.eample.com.
> We already have a managed service namespace, which you can use with
> trivial ease as _<service>._client._tcp.<domain>. But I'm hearing no,
> to save 12 characters in the domain name, and 12 lines of code in the
> clients, we'll tell people to make up random prefixed names and when
> the collisions inevitably happen, it won't be our problem.
It is zero extra lines of code, but what do these extra bytes buy us?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
