Michael Thomas wrote:
Amir Herzberg wrote:
Still new to DKIM (from draft-allman-dkim-base-00) so please bear
with me if I'm raising old issues; didn't identify them in the archives.
Looking at section 6.3 `Get the Public Key`... two questions/comments:
1. It says Verifier MUST retrieve public key... Always? Why not
include some key identifier and allow the verifier to use a cached
key (based on the identifier)? Of course, if key retrieval is using
DNS, then the DNS caching mechanism will also make this a local
operation. But I think there are several advantage to allowing a key
identifier and a key cache at the verifier. One motivation follows.
The intent is to use DNS caching, yes. Note that a DKIM implementation
is certainly more than welcome to contain a caching resolver for
efficiency.
I would add that whatever you use for caching (if it's not just what DNS
and/or your resolver provide) needs to pay attention to the time-to-live
on key records. Revocability of keys is an important property of DKIM,
so caching keys longer than is requested by the publisher is not a good
idea.
-Jim