All-
Seeking input on an idea: using CNAME vs. TXT records in order to enable
easy (from customer's standpoint) key rotation. It was our preferred choice
over domain/subdomain delegation since it follows the "principle of least
permission". The customer’s DKIM key is a CNAME pointing to our domain; our
domain hosts the DKIM key material in a TXT, which we can rotate, and which
we use to sign their email.
We've been using it for over a year without problems but recently a
receiver questioned its compatibility given that it's not spelled out in
the DKIM RFC.
We believe it's technically valid approach since DKIM builds on a host of
other technologies and those technology specifications define how DKIM
interacts with them. In particular, DKIM builds on DNS, which allows a
CNAME record to take the place of any other.
I am curious to get folks’ thoughts on this implementation. Any concerns?
Anyone else with current or prior experience of this method?
Cheers-
Nick
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops