Dave Crocker wrote:
Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
I suspect in the real sysadmin world changing keys every week probably
isn't going to happen :-)
Given the intended use of DKIM and given the current state of DNS
administrative tools, what do folks think *is* a realistic expectation
(and recommendation) for the lifespan of a key, for a typical email
operation?
In other words, given the pragmatics, how often is reasonable an
appropriate for changing keys?
I don't want to put words into Arvel's mouth, but my read of his users
experience
is that you struggle to get the keys into the DNS once and hope that you
never have
to struggle with it again. I think his base is mostly small/medium
business.
For larger business and maybe ISP's even, our anecdotal experience at
Cisco is
that our messaging and DNS folks don't have mich to do with one another
(changing
mx records is not a ordinary event). Thus to achieve key rollover, you'd
need
to create linkages between the groups and their software that didn't
exist before.
Which is to say, a very slow process for the motivated, and a
non-process for
the unmotivated. Maybe SPF has helped here, but I doubt it.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html