I think that it is clear that there has to be some form of guideline to like use of the DNS for security policy distribution. It is clear that DKIM is going to be copied widely. It can be copied well or baddly.
> > _policy._domainkey.domain TXT "o=-;a=email" > > _policy._domainkey.domain TXT "o=~;t=y;a=sip" > > Without commenting on the rest, this approach is not as good > as the multiple selector approach as it is likely to lead to > bloating the response beyond the size of a UDP packet. > Depending on the software involved you may end up with some > semi-random subset of the responses or escalation to TCP > access. Neither is a good thing. I agree with Steve, we need separate selactors for each protocol policy and the process for defining them has to be workable. I would suggest reserving the prefix _domainkey for policy records that make use of the same syntax and tag-value pair semantics as domain keys. If someone wants to define a policy record that takes a different approach then use a different prefix. We should avoid the situation where we have two groups trying to lay claim to _pop3._domainkeys. With incompatible semantics. It is not a problem if there are two groups with distinct prefixes. Ultimately we are going to have to define a security policy distribution mechanism for the Internet. _______________________________________________ ietf-dkim mailing list http://dkim.org
