Scott Kitterman wrote:
One of the major reasons I've been promoting the idea of the third party
authorized list/DSD is to allow smaller domains that do not have the ability
to do subdomain NS delegation to get the effective benefit of first party
signing. So, when I saw this:
On Saturday 26 August 2006 23:16, Wietse Venema wrote:
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
I was interested. Is a CNAME a reasonable alternative to the subdomain NS
delegation approach that's been described previously? I don't recall this
being mentioned before. It makes sense to me, but I certainly hadn't thought
of it. If this is viable, it changes, somewhat, my perspective on the
significance of the requirement that we've stopped discussing for now.
Yes, it works; I was signing my home domain's messages with a CNAMEd
selector for a while for testing. It relieves some, but not all, of the
issues with key delegation by TXT record.
The major concern I have heard with publication of a TXT record
(selector) containing a public key controlled by a delegatee is that key
rotation is awkward, since it requires coordination by the delegator and
delegatee. While a CNAME would allow the delegatee to change the key on
a selector directly, recommended practice is that a new selector name be
used (see dkim-base-05, section 3.1, last paragraph). The delegator
could pre-create a number of CNAME records for the delegatee to use, but
that still requires more coordination (albeit less frequently) than NS
delegation.
And, of course, it assumes that the delegator can create CNAME records.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html