On Mar 20, 2006, at 2:18 PM, Ólafur Guðmundsson wrote:
Defining a new DKIM specific RR type for DNS will take about the
same time as defining a new CERT type!
Writing the draft, yes. Accessing this RR type, no. The CERT has
made headway since about 1999, where use of this CERT by DKIM
improves this momentum.
Furthermore adding a unsigned keying information into the CERT
record will run into resistance as this is not a properly formatted
certificate.
When viewed in conjunction with the DKIM signature, this does offer
similar functionality. As this would be assigned its own CERT type,
there is no risk of this creating a conflict as it also would only
exist within a unique name space. Paul Vixie reviewed this issue and
considers the selection of the CERT RR a good choice. What concerns
do you have?
As for the 512 size restriction that was addressed by EDNS0
(RFC2671) RFC2671 was issued in 1999.
Even when the DNS does support EDNS0, there can still be issues
elsewhere.
Most DNS software in serious use should support it by now.
A worthy goal. Remember the network amplification is also affected,
so the transition should be done with careful deployment.
DKIM DNS usage requires DNSSEC in which case not having EDNS0
support is fatal.
Another worthy goal and of course EDNS0 is required by DNSsec. Does
that mean DKIM should also demand support for ENDS0?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html