At 04:12 PM 10/2/2004 -0400, Andrew Newton wrote:
On Oct 2, 2004, at 11:32 AM, Miles Libbey wrote:
is that you believe that hosters will have a tough time managing
DomainKey-like DNS records. If this is indeed true, MARID must have
been a nightmarish proposal to those folks. IPs change frequently and
sometimes without notice, and can't be shared among different domains.
Ah. It wouldn't be specific to DomainKeys. The general sentiment was that it
was hard enough getting MX records pointing to the correct place... adding any
new record would be a pain.
This was one of the considerations that led to the use of a separate server for
key authorization, the KRS, in Identified Internet Mail. It's only a one-time
effort to get DNS record(s) to point at the KRS(es), and from that point on the
administration of key authorization is in the hands of the mail administrator.
I believe it's important for the mail administrator to be able to act quickly
when revocation of a delegated user key is needed, and often the limitation is
organizational, not just technical.
At the same time, I have been convinced that there are situations, particularly
for small domains, where the administration of the KRS adds significant
overhead. For that reason the next rev of IIM will have the option to support
domain-level authorization of keys directly from DNS.
In other words, I don't think this is a "one size fits all" situation.
Sometimes administration of DNS records is more difficult than a separate
server, and sometimes the opposite is true.
-Jim