Hiya, On 28/02/2019 02:03, John Levine wrote: > Well, OK, if that's an issue you spread the names out like we did with > VBR. If the primary is foo.com and the secondary is bar.org: > > bar.org._same.foo.com. SAME . ; yes, we're a primary for whatever name that > was > > _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com. > > This makes it somewhat more difficult to scrape all the secondaries > for a primary which may be a feature.
Yep, that could work. I still prefer the design in our -00 though (sorry:-) as in your scheme here foo.com's zone will have to change with every change in a linkage whereas in the -00 design, changes are only needed in each of the bar.org zones that actually do change. (I think the counter to that might relate to difficulty in synchronising changes to keys/selectors in our -00 design which can have unexpected effects as we saw in the case of DKIM and a particular mail corpus leak in 2016;-). To be clear: for my purposes I'd be ok with various of the designs we've been discussing - even if I think some are better than others, they're nearly equally ok. I think the main thing is to try keep it simple (as you've been doing) and to try find out if people might publish such values (absent which, there's no much point in publishing an RFC). Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop