I'm OK with it as long as it's clear this is only done for the purposes of
getting finer-grained keys and we're not shifting away from transit
validation.
this is one of the reasons i think it is GOOD to defer human interface issues,
with a focus on this validation being consumed by a filtering mechanism,
rather than the recipient user, directly.
Agreed.
OTOH, could DNS scaling issues possibly be lurking nearby?
a number of folks keep raising this concern, but no one has yet produced a
serious analysis that says the problem is serious.
I certainly haven't seen any such analysis. If anyone else knows of one...
note that the signer can use any number of sub-domains and therefore split the
query traffic. this is yet-another benefit of having the signing ID be
separated from From and Sender.
Well, part of the problem is that this stuff almost certainly can be
deployed in a massively scalable way in the abscense of any other
concerns. The question is what will happen once you shape the deployment
to meet real world needs.
It's very possible that we simply don't know about how this stuff will
be used to know how well it will scale.
Ned