For comparison: Do people actually get spam based on, for example, the
contact address published in SOA records at the top of a DNS zone? I've
never heard of such a thing.
No, but they definitely get spam at anything that looks like an address
that can be scraped out of a web archive.
For a domain that has only a few selectors in use, sure. But suppose
someone starts using keys on a per-user basis (or any other method that
requires a huge number of signing keys), then changes the hash
requirements. Any large organization could then have an enormous number
of records to update. It sure would be nice to be able to change it in
just one place, like a signing policy.
Any organization that creates an enormous number of records and doesn't
have automated ways to manage and update them has worse problems than
we can solve.
Key management strikes me as another item that would be appropriate
for a BCP rather than in the DKIM spec.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html