The semantics of i= are *completely clear*:
d= The domain of the signing entity (plain-text; REQUIRED). This
is the domain that will be queried for the public key. This
domain MUST be the same as or a parent domain of the "i=" tag
(the signing identity, as described below). When presented with
a signature that does not meet this requirement, verifiers MUST
consider the signature invalid.
It doesn't matter how good or bad the maintainer of the higher-level
domain is: all that matters is what the signer puts in d=. If
i=doug(_at_)mail-abuse(_dot_)org and d=mail-abuse.org, then it makes not a whit
of difference what the key policies and so on of .org are because the
verifier will never look there.
Stated another way, what part of "This is the domain that will be
queried for the public key" has anything to do with the DNS hierarchy?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html