On Tue, Jul 04, 2006 at 09:22:17AM -0700, Michael Thomas allegedly wrote: > John Levine wrote: > > > > > > > > >>Current DNS RRtypes which result in a leaf record will not loop. > >> > >> > > > >CNAMEs can always loop, but that is a general problem that we aren't > >making any worse. > > > > > It's my belief that DKIM selectors don't allow CNAME's. Am I correct?
Whilst that might be appealing if one is no fan of CNAMEs, it would be very hard to enforce. In particular an amount of DNS client software follows CNAMEs automatically for the caller so a verifier may not even get the chance to make this decision. One example being the popular CPAN module Net::DNS::Resolver. It wouldn't surprise me if some caches do this too making detection impossible in some cases. Furthermore, disallowing CNAMEs would be inconsistent with most (all?) other RR type queries thus creating surprise for unknowning DNS admins who might routinely use CNAMEs. Which maybe brings up a documentation clarification about allowing CNAMEs since at least one person assumed that they are not allowed. Mark. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
