I believe that these issues need to be addresses in the SC section to
allow appropriate planning steps to be taken. Other than that however
the impact should be minimal until MUAs begin verification.
I think that it is entirely reasonable to expect competent network
admins to monitor resource requirements for infrastructures such as DNS
and plan to add more capacity if required. It is utterly unreasonable to
require new infrastructure to require no additional resources.
The issue here is the impact of DKIM verification on the DNS cache. I
would expect network administration to consider this issue and if
necessary put the DKIM verifier on a separate DNS resolver.
My concern on the per-user keying side is that at present DKIM lacks a
key provisioning protocol. This is arguably acceptable for domain based
keys, but the idea that any sysadmin is going to manually enter 1000
user keys into the DNS or that doing so would provide a secure protocol
is not realistic. Nor is it clear that doing so provides any real value
unless the keys themselves are persisted for longer than the DNS
infrastructure is designed to support. Both these issues strongly
suggest the need for an independent keying mechanism for end-user keys.
The performance/load issue does not