Scott Kitterman wrote:
One of the major reasons I've been promoting the idea of the third party
authorized list/DSD is to allow smaller domains that do not have the ability
to do subdomain NS delegation to get the effective benefit of first party
signing. So, when I saw this:
On Saturday 26 August 2006 23:16, Wietse Venema wrote:
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
I was interested. Is a CNAME a reasonable alternative to the subdomain NS
delegation approach that's been described previously? I don't recall this
being mentioned before. It makes sense to me, but I certainly hadn't thought
of it. If this is viable, it changes, somewhat, my perspective on the
significance of the requirement that we've stopped discussing for now.
This has been discussed before, and the answer is that it doesn't work very
well. You can't, for instance, CNAME an interior node -- just leaf
nodes. For
DKIM, the ability to roll selector names pretty much means you'd want to
manage
the subtree not just a leaf. I expect for any sort of scale and/or key
management on
the target of the CNAME, you'd end up with a lot of broken links.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html