On 5/6/2015 2:13 PM, Douglas Otis wrote:
The real problem in using double signature schemes is expiry will be long enough to support significantly large campaigns that can't be stopped even after being detected unless DKIM signatures are pulled. Then of course, this creates nasty DNS handling issues and potentially high levels of collateral damage.
I think you are overstating this. Remember, there are DDoS and load controls already in place. DKIM will not exert any more pressure on DNS that already exist. We are also very comfortable with the resilience of DNS software, advanced caching methods, and higher, lower cost, powered machines allowing us to scale up, rather than scale out.
The real problem with double signatures is that is more additional coding work is required and there are too many design assumption ifs making it inherently more complex and higher barrier to adoption compared to the baseline, simpler DNS call method.
-- HLS _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
