> We can’t just >use a wildcard CNAME record because there doesn’t seem to be any way to >generate the necessary second level subdomain that we >need (the _dmarc.baddomain.gov.uk).
As you surmise, that won't work. For one thing _dmarc.*.gov.uk isn't a wildcard, and for another, *.gov.uk only matches names that don't already exist and don't have an existing parent. So if, for example, mod.gov.uk exists, *.mod.gov.uk won't match. This is not considered to be a bug. > DNAME would be the most obvious way to do this, but it’d need a wildcard > DNAME and they’re >‘frowned upon’ ☺. Indeed they are, because they don't work either. You cannot have any DNS records or any NS delegations below a DNAME. In practice DNAMEs are not very useful. > Before we start thinking about doing something kludgy (probably looking for > failed lookups for TXT records >in logs and adding the subdomain to the zone, which sucks), does anyone have >any ideas that we could try? I can’t believe this is >the first time this has been encountered! Honestly, you need to figure out how to get the attention of of the people to whom you have delegated subdomains and have them fix their DNS. I realize this is not easy. I have often surmised that rather than delegating subdomain zones, you're much better off one big zone with a provisioning system that lets people mess with the records in their subtree. Then it's still your provisioning system so if they get things wrong, or you want to help them set up records like SPF or DMARC that they haven't gotten around do doing themselves, you can just do it. R's, John -- Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc