Douglas Otis wrote:
DNS is not an infinite information sponge. When increasing the
number items stored in DNS, especially when these items are
relatively large and used by potentially millions of domains, this
will increase the DNS cache needed to obtain the same performance and
stability. When a change is incremental, and offers a relatively
linear growth as the mechanism becomes employed, then administrators
have time to adjust.
However, rather than limiting the goal to that of confirming just the
domain, user identities have been included within DKIM. Despite
otherwise sound justifications for including the user component, this
feature should be removed. By including this feature offering
specific user confirmation, this represents a potential for growth in
DNS use that is neither incremental nor linear.
While I suppose that this is possible, it doesn't seem especially
likely. The
single largest motivation (IMO) for user level granularity is for outsourced
functions. These functions are are still on the same order of magnitude as
outbound signers or thereabouts. For true user level granularity down to
real individual users (eg, the affinity domain example), there a significant
amount of work that would have to be expended first in order to acheive
it: key management within the zone itself, web sites, trust arrangements,
getting signing software on the user's MUA, etc, etc. This won't happen
overnight -- especially in contrast to the relatively straightforward job of
inserting a couple of selectors into the top level zone and modifying your
outbound MTA.
So I guess I doubt that the DNS administrators are going to be blindsided
by all of this.
Mike