On 9/13/10 12:40 PM, MH Michael Hammer (5304) wrote: > There is in fact a significant difference between handing your > private key to a 3rd party and delegating a subdomain. While to you > as a verifier, it may be just another domain, to myself as a sender > and signer it is a significant difference in terms of management and > control.
Delegating a subdomain below _domainkey to a third-party would allow them to generate their own DKIM keys, but it also means they will control the content of the key record. This becomes more risky when more services start utilizing DKIM public keys. Any domain below _domainkey could be delegated, but users and recipients will likely pay attention to the domain used in email, and even then are likely to obtain the same whois information for the email and the selector domain. A verifier could examine the location of the key selectors, and might notice different SOA and NS records. Are you suggesting these records should be checked for every component of a domain's email infrastructure? > >> Things like TPA or DSAP attempt to make the delegation of > >> authority visible, but the ones that use DNS mechanisms like > >> CNAME and NS don't do so. > > You are correct. I forget that many in the mail community do not know > how to use tools such as dig. Should verifiers check to determine whether the DKIM keys have different SOA and NS records than the MX record? What would it mean when all of these domains are different? -Doug _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
