Re: [apps-discuss] "finding registered domains"

"MH Michael Hammer (5304)" <MHammer@ag.com> Wed, 13 March 2013 04:41 UTC

From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Thread-Topic: [apps-discuss] "finding registered domains"
Thread-Index: AQHOHpZMP5BTWxKTGUm1LqSfeE4juZihPyuAgAEDWQCAAGWbgIAAE/kAgAAJCwCAAAN7AIAAA5+AgAAj3ACAAEsBgP//z0DA
Date: Wed, 13 Mar 2013 04:41:00 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B05600CB2@USCLES544.agna.amgreetings.com>
References: <CAL0qLwaGY0TYOndAUgbVYG5qDKKfP2U5Wuc5+oBXgyJ_kz9wSg@mail.gmail.com> <CAL0qLwYq1bgUykCfPQz7tvMBsxyfXSyBDTQQp=VQPu=74v_G0w@mail.gmail.com> <20130311210857.GG38441@mx1.yitter.info> <CAL0qLwY9YyLpHF9XYbm5zCC1+3PzCtdcmgyC6eiQ-P7QBKiDyA@mail.gmail.com> <20130312184051.GE39324@mx1.yitter.info> <CAL0qLwaD_6k36ZzAFO_KKkP=ud_Cd=-4P+vH_UQ58p6BcuY25A@mail.gmail.com> <20130312202442.GE41728@mx1.yitter.info> <CAL0qLwbg6CxtGO=b+iEtDXw3-FG1Rjr1QG_hcgxiGo5P7fPqgA@mail.gmail.com> <20130312205006.GI41728@mx1.yitter.info> <CAL0qLwb_X=WeNE8Hp9HWnd64OvZCu0bgdmDaw5Gct_VEsY45MA@mail.gmail.com> <20130313032655.GD41909@mx1.yitter.info>
In-Reply-To: <20130313032655.GD41909@mx1.yitter.info>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [apps-discuss] "finding registered domains"
Precedence: list

> -----Original Message-----
> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-
> bounces@ietf.org] On Behalf Of Andrew Sullivan
> Sent: Tuesday, March 12, 2013 11:27 PM
> To: apps-discuss@ietf.org
> Subject: Re: [apps-discuss] "finding registered domains"
> 
> On Tue, Mar 12, 2013 at 06:58:28PM -0400, Murray S. Kucherawy wrote:
> > In my use case, it's defined that an example.com policy is used (if it
> > exists) in the absence of a foo.bar.example.com policy.  The problem
> > is I don't know how far up the tree to make that second query.
> 
> In order for that to be defined, you put a SOPA record at
> foo.bar.example.com that says "example.com".  If you have no SOPA record,
> the policy for foo.bar.example.com is "nobody else shares this".  This is a
> "default closed" policy, which I think has to be the right one.
> 

I'm trying to wrap my head around this for the use case for domain trees such as example.co.uk. We know (or should know) that the (or at least one important) cut is always going to be at .co.uk. I think this is one of the use cases that has been problematic. Do we really want to rely on each subdomain up the tree publishing a SOPA record for this type of case? What do we do when some subdomains publish and others do not? Is the intent to force domain administrators to go along by them ending up with suboptimal outcomes if they don't?

I'm not asking these things to be snarky - I'm really not clear on the thinking here. In the email authentication space we've always gone to some lengths to avoid imposing new standards (SPF, DKIM, DMARC) on folks that don't really care to participate. I'm also concerned because my experience is that so many admins/domain owners get even the simplest DNS records wrong in implementation.

> There's something slightly awkward about this for the CA case, however,
> when you have deep trees and you want a wildcard cert that descends the
> tree from example.com.  I'm still not sure what to do about that, because it's
> going to be impossible to enumerate all the names under a wildcard (and
> anyway, you can't do multi-label wildcards).  I remain a little unhappy about
> this, but it strikes me that anyone doing wildcard certs for deep trees may be
> in a world of hurt anyway, and it would be better to add an additional SOPA
> record for (for instance) *.oneIactuallyWant.example.com.
> 
> > So in my case I explicitly will believe the
> > parent/grandparent/whatever statement, but I don't know how far up to
> > go, and I don't want to ask everyone; I only want to ask at most two
> questions.
> 
> As long as you have the pointer up the tree, that should work.
> 
> A
> 
> --

Mike

[apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Patrik Fältström
Re: [apps-discuss] "finding registered domains" Paul Hoffman
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Patrik Fältström
Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" =JeffH
Re: [apps-discuss] "finding registered domains" J. Trent Adams
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" Hill, Brad
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" John Levine
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Peter Saint-Andre
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" J. Trent Adams
Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" MH Michael Hammer (5304)
Re: [apps-discuss] "finding registered domains" Jiankang YAO
Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
Re: [apps-discuss] "finding registered domains" John Levine
Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Hugo Salgado
Re: [apps-discuss] "finding registered domains" Behnam Esfahbod
Re: [apps-discuss] "finding registered domains" Hill, Brad
Re: [apps-discuss] "finding registered domains" Hill, Brad
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Andrew Sullivan
Re: [apps-discuss] "finding registered domains" Stephane Bortzmeyer
Re: [apps-discuss] "finding registered domains" John R Levine
Re: [apps-discuss] "finding registered domains" Stephane Bortzmeyer
Re: [apps-discuss] "finding registered domains" John R Levine