From: Michael Thomas [mailto:mike(_at_)mtcc(_dot_)com]
NOMAIL is out of scope, but wildcard is in scope.
The relevance here is that it looks like we can get 95% or
better coverage of the real use cases here by acknowledging
that wildcards are primarily an issue for NOMAIL.
It is? If I sign everything for my domain, I'd like to be
able to say that for both the top level domain, and all of
the subdomains too, right?
Why would you be signing a subdomain that does not have an A record?
Come to that how does your understanding of DKIM policy work for a node that
has no A record, no MX record and no related key records? If you have a policy
'I sign all mail' what restrictions do you impose on the key records?
I think that the corner cases for wildcarding seem to be falling into the
category of support for NOMAIL and thus out of scope.
We already know how to wildcard NOMAIL. If we find that only 5% of domains
actually need to wildcard a DKIM policy for domains that do not exist then we
simply direct people to the existing solutions for declaring NOMAIL (MXdot,
SenderID/SPF) that work with wildcard.
At that point we can solve 95% of all problems today with no infrastructure
changes with the TXT/XPTR/TXT search, and the coverage will reach 100% in the
future as infrastructure is upgraded.
We don't need to propose any thrashing about the DNS tree of the type that
rightly upsets DNS folk. We set a clean precedent for the future. We get the
benefit of an improved admin model. We build out infrastructure that is DNSSEC
friendly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html