On Behalf Of Tony Finch
On Tue, 2 Aug 2005, Hallam-Baker, Phillip wrote:
The DNS cache issue is bogus, you only see the effect if
you CHOOSE to
turn on verification.
Doug mentioned verification by MUAs, which is not something
that a network operator can control, and which will
significantly increase the load on DNS caches if it becomes
popular. However I think this is a per-site scaling problem
(each site may have to upgrade its caches), not a network-
wide scaling problem (the DNS won't melt down).
OK that is a reasonable point. However I don't see a sudden spike in DNS
usage from MUA use unless we have a situation where all the MUAs in a
network suddenly turn on DKIM verification simulataneously.
This is of course possible in certain situations, e.g. corporate IT
rolls out a new client to an entire enterprise or Microsoft sends out a
security patch.
I think this is an argument for a suitably worded caution in the
Security Considerations section. It does not appear to me to be a 'show
stopper' for the protocol architecture.