[ietf-dkim] multiple keys under same selector+domain?
dotis at mail-abuse.org
Tue Apr 11 14:04:14 PDT 2006
On Apr 11, 2006, at 1:50 PM, Michael Thomas wrote:
> Dave Crocker wrote:
>> I did a quick scan of -core and did not find this issue dealt with:
>> When moving to a new key for a domain, may the same selector be
>> used, or is the signer required to use a different selector?
> You must use a new selector. Otherwise, depending on cache etc, you
> might get indeterminate results.
If the key is changed well prior to use and well after use, such as
in a round-robin fashion, there should be little that prevents this
technique. It is not a limitation of DNS, as it is rather common to
anticipate these transitions by setting the TTL for the affected
It will reduce the overhead when no record is found, rather than a
different record with a key that is not intended to verify the
message. In that case, it would be good to establish a practice
where a different selector is used to introduce a new key to minimize
the verification overhead.
More information about the ietf-dkim