On Aug 28, 2006, at 12:42 PM, Dave Crocker wrote:
Jim Fenton wrote:
I have yet to see concrete examples of domains that would not
easily be able to do NS delegation or key-based delegation. There
seems to be an assumption that it's easier for some domains to
publish TXT records than it is for them to publish NS records, but
I haven't seen anything to support this.
+1.
May I respectfully disagree. The assumption of a designated domain
being easier is indeed valid.
DNS delegation involves the domain owner, the email-service provider,
and possibly their respective name-service providers. The mail-
service provider must then select the correct signing domain based
upon the account used to gain access. Any error made transcribing
DNS related information will involve potentially two or three
different entities. Debugging a complex arrangement represents a
scaling issue. (additional people required)
Any abuse related issues will likely be sent to the signing domain
and not the email-service provider offering the outbound services.
The email-service provider must be diligent at preventing abusive use
of their IP addresses, but delegation may represent a disadvantage
regarding oversight. A significant amount of resources may be
subsequently expended responding to situations where abuse warnings
appeared to have been ignored. Oversight is a scaling issue.
(additional people required)
A designated signing domain would be a completely different
situation. This transaction would involve only the domain owner and
their name-service provider. (no additional people required)
Any abuse would still be reported to the signing domain which better
facilitates oversight. (no additional people required.)
Either effort only affects annotations placed upon the message.
Designation should offer different annotations from that of a
matching From/signing domain to allay security concerns.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
