I wanted to know how we can test if MTA-STS is enabled for a domain. If I query for TXT DNS record of _mta-sts.domainName.com and receive a response having v=STSv1 as version, then I would assume it's enabled. However, if the response contains v=spf1, does that imply that MTA-STS is not enabled? TIA!
It is a bit more complicated.
In addition to the TXT record, to find out if MTA-STS is enabled for a domain, you would need to fetch the policy file at https://mta-sts.{yourdomain.tld}/.well-known/mta-sts.txt as in that file the state none, testing or enforce should be listed. If 'enforce' is there, only then you may conclude MTA-STS is enabled. (So both TXT-record and enforce setting.)
Easy assist? Check this: https://www.mailhardener.com/tools/mta-sts-validator and fill out a domain. The site will explain every value.
The TXT record you refer to only suggests that a policy file should exists, not that the policy itself is "set to on". Secondly, the TXT record displays a versionnumber of the policy.
Related
Microsoft and GOV.UK recommend creating a record like the following on any domain that doesn’t send email.
TXT *._domainkey v=DKIM1;p=
As I understand it, the purpose is to explicitly fail DKIM, rather than leaving open the possibility that real emails from this domain don’t use DKIM.
But I don’t see how it accomplishes that. If the spammer includes an invalid DKIM header, then it’s invalid, not just missing, whether the DNS lookup result is no match or a conflicting match. And if the spammer omits the DKIM header, then a wildcard DNS record doesn’t tell you that there isn’t a valid DKIM record somewhere. It doesn’t communicate that the email should have used DKIM, while the following does:
TXT _domainkey o=!
So what is the wildcard invalid DKIM record accomplishing?
I am trying to change the nameservers for a domain that is being transferred to another register. The process takes between 5 to 7 days.
The former domain register is refusing to update the nameservers while the transfer is taking place.
I searched the transfer policy on ICANN but I did not find anything that prohibits me from changing the nameservers while the domain is being transferred.
Is there another ICANN policy that defines this?
The answer depends on the TLD.
In the most frequent case (that is using EPP without specific extension), a transfer of domain name is made without any change to its current technical configuration. So the nameservers can be changed just before the transfer is started or just after it is completed but not during it.
You can not change anything on the domain name while the transfer is pending because the domain will be in pendingTransfer EPP status, and no update on a domain name is allowed when it is under a "pending" status.
The former registrar can do nothing even if it wanted to, as soon as the transfer is started, as this under control of the registry. This is not an ICANN policy, this is a technical rule described in the EPP RFCs (see STD69 at https://www.rfc-editor.org/info/std69)
In gTLDs, the transfer can typically last up to 5 days, but this is for administrative reasons, not technical ones. You can speed it up by explicitely allowing it at the current sponsoring registrar (for those allowing their customers to have this option).
Note that in some TLDs you can specify, at the moment you do the transfer, the new nameservers to use, but this will be done after the transfer is finished also.
You can get the same behaviour with any competent registrar for any TLD to which you would have decided to transfer the domain to: it can record both your order to do the transfer and the new nameservers you would like, so that it can, as soon as the transfer finishes, put the new nameservers automatically for you.
i am not sure whether this correct words to describe the problem, but i try my best to explain.
Suppose i deployed a cloud service with A Name. now client ask me give me something good domain name rather than A.cloudapp.net, so according to need i given him fancy domain name A.myapp.com.
After some time they thinks A is not a good name , give me B. so i change the deployment to B.cloudapp.net and then configured custom Domain Name as B.myapp.com.
Client again comes as says my customer is still using A.myapp.com. Can you do something to redirect them to B.myapp.com. with message that it moved to another address.
As i know i used only CNAME and ARecord on domain registrar . how can show a message over there. That this page is moved to other domain.
If A.myapp.com is no longer in the DNS records then the only way that it's still working is that the DNS propagation hasn't taken full effect yet. That can take even up to a few days. Once that happens then A.myapp.com should no longer resolve. This might also be working if you have a wildcard record for #.myapp.com pointing to the same A.cloudapp.net site.
You can create the A.myapp.com DNS record (if it's not still there) and point it to the same cloudapp.net app again, but then in your cloud app look at the hostname as it comes it to the request. If it is A.myapp.com show them a specific page that reminds them this is now B.myapp.com and then redirect them.
Is it possible to use a CNAME pointer, that points to an A pointer that points to the webapplication?
I've tried this multiple times now, without any success, and i start to think that it is not possible?!
i got this
"Bad request, invalid hostname" think its an 400 error.
If it is not possible to do it this way, can someone please give me some ideas how to start?
My web application:
I got a couple of users registered at my web application.
Each users is supposed to get an sub domain, for example, user1.mydomain.com (A-pointer to web.mydomain.com, where all the aspx filer are)
by reading the domainname I get the userID.
If this is not possible i have to put a lot of files in each domain, which i dont want to do. what would you do?
wildcards is not possible.
Why a cname to a A? i have to take into account that each user maybe want to point their domain to his or her account at my place. so their pointer should be a CNAME...
Thanks!
The problem is that your virtual hosts are not configured to accept requests for the domain the the CNAME record is for.
You need to set the ServerAlias directive (assuming you are using Apache) so it contains all possible variants that you want to use to access your app.
A CNAME record is simply an alias of an A record, so it will always resolve to the IP that the A record points to. What you need to do is tell your web server how to handle those domains (it's based on the Host: header of the HTTP request).
You will find that you have same problem if you create A records for your other subdomains, instead of CNAMEs.
If you need to dynamically add/remove users, you would probably want to use mod_vhost_alias so you don't have to restart Apache every time you do it.
EDIT Sorry, just noticed the reference to aspx, which presumably means you using IIS, which means I can't tell you exactly how to configure it since I know next to nothing about IIS. Re-tag this question with IIS and someone will probably be able to help :-)
ANOTHER EDIT This page from M$ may help you with IIS virtual hosting, although I still don't know how to do it dynamically/programmatically.
Does anyone know where I could find a list of all publicly available domain endings? By "domain endings", I'm not necessarily referring to TLDs as I'm not interested in the .uk part of .co.uk since (AFAIK) individuals cannot register sites without having the .co preceding it.
If it helps to make things more concrete, here's my specific problem: given a domain name I want to return both the version of the domain preceded by www and the version not preceded by www. The input domain may or may not contain www.
The complication comes from the existence of domain names such as "www.com" or "www.info"; what I initially implemented would take www.info and return info and www.info.
I don't think you actually need to have a list of domain names:
given a domain name I want to return both the version of the domain preceded by www and the version not preceded by www
Pseudocode:
input name
does it begin with "www."?
if yes, strip out "www."
there's your domain name, save it
prepend "www." to domain name
save the result
lookup in DNS both the saved entries
if they exist, output them
You can get the list of current TLDs in many ways, slightly differently.
For example:
Going to IANA website at https://www.iana.org/domains/root/db (this is frequently updated after a new TLD got delegated in root zone)
Or just download the root zone file through the appropriate links: http://www.internic.net/domain/root.zone or ftp://rs.internic.net/domain/root.zone
You could also just query one of the current root nameservers that allow AXFR requests to just download the current root zonefile, such as dig #f.root-servers.net . AXFR with the added benefit that this is protected by DNSSEC (where the previous HTTP URL has no protection against tampering)
Of course this gives you only "Top Level Domains" not all "suffixes" under which a registry exists to allow the public (in general or part of it) to register domain names.
Having the list of those is currently still an unsolved problems, if you take into account the needs of automated process, freshness, decentralization of updates, etc.
The best solution is to use the Public Suffix List at https://publicsuffix.org/list/public_suffix_list.dat but first make sure to go to main site at https://publicsuffix.org/learn/ to learn in details about what it is, how to use it and its shortcomings.
You will find co.uk there.
But as for your:
in the .uk part of .co.uk since (AFAIK) individuals cannot register sites without having the .co preceding it.
This is not true anymore, showing that eligibility requirements in TLDs, or even structure, change over time. .UK is open to direct registrations now, see https://www.nominet.uk/domains/our-domains/uk-domains/
And also, side rant, when you work with domain names/TLDs please do not forget about IDNs, that could happen in any label in the DNS.