[ietf-dkim] RFC relevant to DKIM DNS RR effort
Douglas Otis
dotis at mail-abuse.org
Mon Nov 28 11:24:28 PST 2005
On Nov 28, 2005, at 10:53 AM, Mark Delany wrote:
> We still need to sub-type search to ensure that the returned CERT
> RRset contains a DKIM cert unless we continue to insist on
> namespace separation. I'm under the impression that this type of
> sub-typing is not viewed favorably.
The sub-type could be seen as analogous to a version parameter. Due
to the size of these records, binary storage seems wholly
appropriate, and a TLV structure is extensible. A sub-type or
version mechanism seems inescapable, unless no further modifications
are expected.
By "full advantage", does this mean a "good actor's" use of
wildcards? Legitimate wildcard certs would make defending against a
DoS more problematic. The effect this could have on a DNS cache will
be significantly greater, but could not be readily excluded by name.
-Doug
More information about the ietf-dkim
mailing list