On Apr 11, 2006, at 1:50 PM, Michael Thomas wrote:
Dave Crocker wrote:
Folks,
I did a quick scan of -core and did not find this issue dealt with:
When moving to a new key for a domain, may the same selector be
used, or is the signer required to use a different selector?
You must use a new selector. Otherwise, depending on cache etc, you
might get indeterminate results.
If the key is changed well prior to use and well after use, such as
in a round-robin fashion, there should be little that prevents this
technique. It is not a limitation of DNS, as it is rather common to
anticipate these transitions by setting the TTL for the affected
resource record.
It will reduce the overhead when no record is found, rather than a
different record with a key that is not intended to verify the
message. In that case, it would be good to establish a practice
where a different selector is used to introduce a new key to minimize
the verification overhead.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html