ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Thread: Use of CNAME in place of NS subdomain delegation

2006-08-28 14:41:03
... [discussion of CNAME]

Yes, it works; I was signing my home domain's messages with a CNAMEd
selector for a while for testing.  It relieves some, but not all,
of the issues with key delegation by TXT record.

The major concern I have heard with publication of a TXT record
(selector) containing a public key controlled by a delegatee is
that key rotation is awkward, since it requires coordination by the
delegator and delegatee.  While a CNAME would allow the delegatee
to change the key on a selector directly, recommended practice is
that a new selector name be used (see dkim-base-05, section 3.1,
last paragraph).  The delegator could pre-create a number of CNAME
records for the delegatee to use, but that still requires more
coordination (albeit less frequently) than NS delegation.

The delegator could also hand over a subset of the namespace, e.g., using

  delegatee._domainkey.delegator.com.  IN  CNAME
                       delegatee._domainkey.delegatee.com.

(wrapping for readability only).

eric
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html