ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Requirement clarification: NS delegation

2006-08-09 11:23:26
Change 1: done.
Change 2: folded into the next paragraph which has other concerns about the NS approach.

      Mike

Scott Kitterman wrote:

***************
*** 368,374 ****
    That said, DKIM uses DNS to store selectors.  Thus there is always
    the ability for a domain holder to delegate all or parts of the
    _domainkey subdomain to a third party of the domain holder's
!    choosing.  That is, the domain holder can always set a NS record for
    _domainkey.example.com to, say, an email provider who manages that
    namespace.  There is also the ability for the domain holder to
    partition its namespace into subdomains to further constrain how
--- 369,375 ----
    That said, DKIM uses DNS to store selectors.  Thus there is always
    the ability for a domain holder to delegate all or parts of the
    _domainkey subdomain to a third party of the domain holder's
!    choosing.  That is, the domain holder may be able to set a NS record for
    _domainkey.example.com to, say, an email provider who manages that
    namespace.  There is also the ability for the domain holder to
    partition its namespace into subdomains to further constrain how
***************
*** 377,382 ****
--- 378,387 ----
    the third party to only be able to sign messages on behalf of the
    benefits subdomain.

+            [INFORMATIVE NOTE: Not all DNS providers support separate
+            NS records for subdomains, so this approach is not universally
+            available.]
+
    There have been concerns expressed about how well this would scale
    when the third party is, say, a large ISP that signs for thousands of
    domains.  There has been concern about how well this would work for
***************

Since this scenario is aimed primarily at small non-technical domain owners (who would be the most likely to outsource DNS services also) I think it is important to point out that not all DNS providers support subdomain NS delegation (personally, I mostly use two providers - one supports it, the other doesn't). It is another reason why NS delegation is not a complete solution.

Scott K
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>