"John" == John C Klensin <john-ietf(_at_)jck(_dot_)com> writes:
John> one cannot presume a trust relationship between
John> example.com. and example.foo.: all DNSSEC validation of the
John> CNAME proves is that the record is intact. In particular, it
John> doesn't indicate that example.com has given permission for the
John> alias nor that there is any real relationship between the
John> names from a trust standpoint. I hope that is clear; if it is
John> not, note that transform(example-2(_at_)example(_dot_)foo.) IN CNAME
John> transform(example(_at_)evil(_dot_)example(_dot_)org.) would validate
equally
John> well (and would validate whether evil.example.org actually
John> exists).
That's clear, but I don't understand why I care.
If we except the premis that the folks running the DNS for example.foo. should
be able to make assertions about which PGP keys to trust for email
addresses ending in example.foo., why do we care what
example.com. thinks of the matter?
If example.foo. wants to delegate trust in a key, what's wrong with them
doing so. It seems reasonable for example.foo. to say they trust the
folks over at example.com. to stick the right key in DNS.
So, I see no reason why example.com should need to validate the alias.
This does mean that example.foo. can publish dns records, and if those
records are trusted they can cause their users to get encrypted mail
that the users cannot read.
It seems like example.foo. can break email for example.foo. by
publishing a variety of DNS records and that's nothing new.