On Sun, Apr 05, 2009 at 12:21:51AM +0100, John R. Levine wrote:
One of us should send in a separate technical erratum saying that DKIM
key records SHOULD be published only for SDID domains that have
corresponding MX or A records and can receive mail.
I believe your later posting on this retracted the suggestion, but this
issue
strike me as one that is very easy (and common) to misunderstand. So it's
worth emphasizing. Might be worth adding tidbits to the Deployment draft?
The d= domain name is permitted to have /no relationship/ to any
mail-sending
or mail-receiving domain name. Hence, no A, MX, or possibly /any(!)/ DNS
resource records for the name.
Right. You have to control the branch of the DNS tree where the d= domain
would exist, since you need that to be able to install the key records,
but the domain doesn't have to exist otherwise. Once you remember that
the big advance of DKIM over its predecessors is to separate the signing
domain from the domains in various other headers, this is clearly the
right way for it to work.
+1
my thinking has always been 3243242.rep.example.net.
--
Jeff Macdonald
jmacdonald(_at_)e-dialog(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html