From 6da0fac640a5ce9a11dc6841811bb1cdf742bc0c Mon Sep 17 00:00:00 2001 From: Dennis Baaten Date: Wed, 27 May 2020 11:12:03 +0200 Subject: [PATCH] Updated information for parked domains --- DKIM-how-to.md | 5 +++- parked-domain-how-to.md | 24 ++++++++++++------- .../DNS-records-overview.md | 0 3 files changed, 19 insertions(+), 10 deletions(-) rename DNS-records-overview.md => under construction/DNS-records-overview.md (100%) diff --git a/DKIM-how-to.md b/DKIM-how-to.md index b583245..e707b7a 100644 --- a/DKIM-how-to.md +++ b/DKIM-how-to.md @@ -32,7 +32,10 @@ A common used technique used by spammers is to trick the receiving party into be # Tips, tricks and notices for implementation * Use a DKIM key (RSA) of [at least 1024 bits](https://tools.ietf.org/html/rfc6376#section-3.3.3) to minimize the successrate of offline attacks. Don't go beyond a key size of 2048 bits since this is not mandatory according to the RFC. * Make sure to change your DKIM keys regularly. A rotation scheme of 6 months is recommended. -* It is generally recommended to explicitly configure parked domains to not use e-mail. For DKIM this is done with an empty policy: "v=DKIM1; p=". +* If a domain is not using e-mail (anymore), it is recommended to set an empty public key: "v=DKIM1; p=". + * When used with a specific selector, an empty public key means that e-mail signed with the associated public key must be considered unreliable since they public key was revoked. + * When used with a wildcard selector, setting an empty public key indicates that all previously used keys are revoked and must be considered unreliable. The owner of a domain can also use this to explicitly signal that a domain is not configured to use e-mail. + * [According to the RFC](https://tools.ietf.org/html/rfc6376#section-6.1.2) the absence of a selector / public key (e.g. as a result of deleting the entire DKIM resource record) is semantically equal to a resource record with an empty public key. ## Canonicalization As mentioned in [RFC 6376 section 3.4](https://tools.ietf.org/html/rfc6376#section-3.4) some mail systems modify e-mail in transit. This type of modification is called canonicalization and is generally used to make things comparable before presenting the email to the signing or verification algorithm. You can imagine that this is important when signing and validating an e-mail; if things change too much this can invalidate a DKIM signature, which also impacts DMARC. diff --git a/parked-domain-how-to.md b/parked-domain-how-to.md index fbd6429..9d2deaf 100644 --- a/parked-domain-how-to.md +++ b/parked-domain-how-to.md @@ -1,26 +1,32 @@ # Introduction This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on explicitly configuring a parked domain not to use e-mail. -# Null MX +# What is a parked domain? +[Domain parking](https://en.wikipedia.org/wiki/Domain_parking) is the registration of an Internet domain name without that domain being associated with any services such as e-mail or a website. + +## Domain without e-mail +If a domain is not using e-mail it is recommended to use the following settings. + +### Null MX Explicitly configure an 'empty' MX record according to [RFC7505 ](https://tools.ietf.org/html/rfc7505). `example.nl IN MX 0 .` -# DMARC +### DMARC +Set DMARC policy to reject mails, but allow reporting to take place. This helps detecting activity related to your domain. `_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:rua@example.nl; ruf=mailto:ruf@example.nl` -# DKIM +### DKIM -`selector._domainkey IN TXT "v=DKIM1; p="` +`*._domainkey IN TXT "v=DKIM1; p="` -# SPF +### SPF `example.nl IN TXT "v=spf1 –all"` - -# Other tips and tricks + +## Domain without a website * Don't use an A or AAAA record for parked domains. -* Don't redirect from a parked domain to the used domain, since this encourages users to keep using the parked domain name. - * If a redirect is used, make sure to use the proper redirect order in order for HSTS headers to remain effective: +* Don't redirect from a parked domain to the used domain, since this encourages users to keep using the parked domain name. If a redirect is desirable, make sure to use the proper redirect order in order for HSTS headers to remain effective: 1. redirect from HTTP to HTTPS on the same (sub)domain. 2. when using HTTPS, redirect to another (sub)domain. diff --git a/DNS-records-overview.md b/under construction/DNS-records-overview.md similarity index 100% rename from DNS-records-overview.md rename to under construction/DNS-records-overview.md