On Thu, 28 Feb 2019, Stephen Farrell wrote:
bar.org._same.foo.com. SAME . ; yes, we're a primary for whatever name that was _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com.
Yep, that could work. I still prefer the design in our -00 though (sorry:-) as in your scheme here foo.com's zone will have to change with every change in a linkage whereas in the -00 design, changes are only needed in each of the bar.org zones that actually do change. (I think the counter to that might relate to difficulty in synchronising changes to keys/selectors in our -00 design which can have unexpected effects as we saw in the case of DKIM and a particular mail corpus leak in 2016;-).
Sure, but pick your poison. With your scheme you need a mutant DKIM signer at the primary and a way to send the result to the secondary. With mine, you just add a record. I realize that one or the other may be easier depending on where an organization's processes are broken but it's not obvious to me that the more complex design has an easier process.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
