On Oct 16, 2006, at 1:20 PM, Scott Kitterman wrote:
On Monday 16 October 2006 15:12, Douglas Otis wrote:
4) Customer signing requires unique keys rather than unique sub-
domains.
Not to belabor the overall issue, but this particular point is
inaccurate. I've done it single key with multiple customer domains
and no NS delegation.
You are right. However, technically both designation and the CNAME
approach are still seen as providing different keys. Signing
referenced from different sub-domains unique to customers can also
use a common private key. In the case of the designation approach,
the provider fully controls the publishing of the keys. With the
CNAME approach, the provider depends upon the customer to create
proper references.
Assuming a reference to policy is avoided with the CNAME approach,
then both techniques require the same DNS overhead. Two transactions
to resolve the CNAME indirection, or one to directly obtain the key,
and another to obtain a designation policy. The difference is fairly
minor from an implementation standpoint, but dramatically different
from an administrative standpoint.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
