Markley, Mike wrote:
I am not, however, aware of any mechanism for preventing a
malicious TLD operator from publishing a key at
_domainkey.<tld>. This suggests to me that it's quite
possible for the operators of the TLD, whether that's
Verisign or some government-controlled agency, can then
send mail with d=tld and i=user(_at_)example(_dot_)tld, and that such
a message's signature would validate.
Hi, that sounds like a general "bug" or "feature" not limited
to TLDs, it would be the same with say ac.uk or navy.mil SLDs,
or any other domain with "independent" (zone cut) subdomains.
Obviously the TLD operators in most countries probably would
not risk the legal challenges to doing something like this,
Some TLDs are rather small, some have even an IP like "ordinary"
example.com domains. I wouldn't bet that say "tv" is always
"better" than ordinary domains wrt to "independent" subdomains
(there must be a proper term for this case, please correct me.)
This may simply be "as designed", but it is, IMO, worth
documenting.
Yes, but I'd say the general case has to be documented, it's
not limited to TLDs.
Bye, Frank
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html