The arguments against parent signatures seem to me to boil down to
two: parents may be untrustworthy, and foolish people can do foolish
things.
I concur with Jim's rebuttal to the first. The DNS works on the basis
of delegation from the top down, subdomains are 100% at the mercy of
their parent domains whether you like it or not, and it's 25 years too
late to change it. Sorry.
The problem with the second objection is that the range of foolish
things is vast and unlimited, and this strikes me as what Bruce
Schnier calls a movie plot threat, exciting to imagine, but less
likely in practice than many other kinds of foolishness. It's a bad
idea to try to enumerate and forbid every foolish thing that people
can do, because fools are very creative, your list will be incomplete,
and if your list is long and detailed, the fools will then insist that
since their foolishness isn't on the list, it must be OK.
An important argument in favor of parent signatures involves wildcard
MXes. In some of my domains I have an MX for, say, *.example.com.
This lets every user in that domain use his or her domain name as a
subdomain, so that if you send mail to foo(_at_)jeff(_dot_)example,com, the MTA
rewrites the mailbox to an address extension and handles that as mail
to jeff-foo(_at_)example(_dot_)com(_dot_) Qmail lets you do this with about
three
lines of config file, so I assume it's easy with other MTAs as well.
Wildcard MXes have a range of uses like this, encoding part of what
might otherwise be the mailbox or other routing or delivery info into
the domain.
DKIM can't handle this if you don't permit parent signing, because the
DNS doesn't permit internal wildcards. If the signing domain has to
match the mail address domain, the wildcard selector would have to be
selector._domainkey.*.example.com
but that doesn't work. Using plain *.example.com makes all the
selectors equivalent, which is bad. You'd have to export your entire
list of users into the DNS, with records like
selector._domainkey.jeff.example.com
selector._domainkey.joe.example.com
and so forth. For a large mail system, that's a huge DNS bloat and a
and needless burden.
So as far as I am concerned, parent signing is an important and useful
facility with no disadvantages.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html