From: william(at)elan.net [mailto:william(_at_)elan(_dot_)net]
There is nothing bad about rolling out new DNS RR.
The bad part is that it ties deployment of your new protocol to
deployment of an updated DNS server that can publish the record. As we
discovered in MARID a large number of DNS servers do not provide
production quality support for new RRs (i.e. it is technically possible
to coax them to emit new RR bit strings but not in a way that any sane
sysadmin is going to support.
The bad is
that certain current dns proxies do not make it easy and
refuse to recognize or let them through to dns resolver that
can recognize them.
The bad is that to get around that people are taking over
other RRs and in that way creating conflict. But this
argument has played out in
MARID to greater degree and I don't think we need full repeat of that.
The other problem is that it is not possible to experiment. You have to
get your RR assigned before you start. This is really not compatible
with the Internet design philosophy in my view. Unfortunately a lot of
people tend to think of DNS as being so precious that they must stop the
uninitiated from defiling int at all costs. The result is that we end up
with wildcard spf TXT records.
DKIM is pretty well behaved but I don't think we have succeeded in
describing a pattern for extending the DNS safely that we can be
confident others will follow.
What do we do if the next DKIM like scheme tramples on our records?