It seems like a small benefit we're getting through "parental" signing,
offset by a small threat. How do others feel about this?
There's no threat. Despite a certain amount of wishful thinking to
the contrary, the design of DNS makes subdomains absolutely completely
under the control of the domains from which they are delegated. If
you want to limit what the organization running your parent domain can
do, you do so by contracts and lawsuits, not anything technical.
I have always opposed making rules that can't be enforced, and a no
parent rule would be completely unenforcable since a parent domain
could, if so inclined, use any of a wide variety of techniques to
stuff records into subdomains anyway.
On the other hand, it's not hard to think of uses for parent
signatures. For example, Time Warner's Roadrunner cable service is
organized into geographic regions with each region having addresses in
its own mail domain, such as whoever(_at_)twcny(_dot_)rr(_dot_)com here in
central NY.
But they have one abuse desk for the whole company, so it's quite
plausible that they'd want to do the signing from rr.com.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html