... [discussion of CNAME]
Yes, it works; I was signing my home domain's messages with a CNAMEd
selector for a while for testing. It relieves some, but not all,
of the issues with key delegation by TXT record.
The major concern I have heard with publication of a TXT record
(selector) containing a public key controlled by a delegatee is
that key rotation is awkward, since it requires coordination by the
delegator and delegatee. While a CNAME would allow the delegatee
to change the key on a selector directly, recommended practice is
that a new selector name be used (see dkim-base-05, section 3.1,
last paragraph). The delegator could pre-create a number of CNAME
records for the delegatee to use, but that still requires more
coordination (albeit less frequently) than NS delegation.
The delegator could also hand over a subset of the namespace, e.g.,
using
delegatee._domainkey.delegator.com. IN CNAME
delegatee._domainkey.delegatee.com.
(wrapping for readability only).
eric
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html