Scott Kitterman wrote: > One of the major reasons I've been promoting the idea of the third party > authorized list/DSD is to allow smaller domains that do not have the ability > to do subdomain NS delegation to get the effective benefit of first party > signing. So, when I saw this: > > On Saturday 26 August 2006 23:16, Wietse Venema wrote: > > >> (*) This is possible even when the signer is in a different domain. >> All they need is the private key that matches the public key >> in the d= DNS record. That record can, but does not have to, >> be CNAME delegated to the signer's DNS. >> > > I was interested. Is a CNAME a reasonable alternative to the subdomain NS > delegation approach that's been described previously? I don't recall this > being mentioned before. It makes sense to me, but I certainly hadn't thought > of it. If this is viable, it changes, somewhat, my perspective on the > significance of the requirement that we've stopped discussing for now. > Yes, it works; I was signing my home domain's messages with a CNAMEd selector for a while for testing. It relieves some, but not all, of the issues with key delegation by TXT record.
The major concern I have heard with publication of a TXT record (selector) containing a public key controlled by a delegatee is that key rotation is awkward, since it requires coordination by the delegator and delegatee. While a CNAME would allow the delegatee to change the key on a selector directly, recommended practice is that a new selector name be used (see dkim-base-05, section 3.1, last paragraph). The delegator could pre-create a number of CNAME records for the delegatee to use, but that still requires more coordination (albeit less frequently) than NS delegation. And, of course, it assumes that the delegator can create CNAME records. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
