Scott Kitterman wrote:
Yes, but the fundamental operational problem will be to pick the correct
domain to sign with. You have to make that decision either way. The basis
upon which you make the decision is the same. I agree that the result LOOKS
less ambiguous with the NS delegation approach, but the fundamental security
issue is don't pick the wrong domain to sign with and that's no different.
When using the "authorized signing domains" approach, the signer uses
its own domain name, not that of the domain doing the delegation. I
don't see where there is a choice for the signer to make (which is also
the source of the ambiguity).
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html