[ietf-dkim] Base-04 //Security Concerns beyond Zone delegation

[Douglas Otis]

At the last meetings in Montreal, a few others also mentioned DKIM  
introduces a new concern beyond what is normally covered by zone  
delegations. There was also a related discussion in dnsop that  
related this concern with that of the ongoing problem affecting the  
use of a web cookie from allowing the same unverified administrative  
assertions now attempting to be repaired.  There were previous  
attempts to expand upon the limited advice found in the Threat  
document for placement within the base Security Considerations that  
failed to reach WG consensus.  Judging by these comments however, it  
seems that addressing this concern succinctly within the draft may  
proactively satisfy these concerns.

dkim-threats-03:
,---
|4.1.18.  Key Publication by Higher Level Domain
|...
| So it is unlikely that a higher level domain would intentionally
| compromise a subdomain in this manner.  However, if higher level
| domains send mail on their own behalf, they may wish to publish
| keys at their own level.  Higher level domains must employ
| special care in the delegation of keys they publish to ensure
| that any of their subdomains are not compromised by misuse of
| such keys.
'___

Enhanced Zone Delegation Agreements

The deployment of DKIM may require additional agreements extending  
beyond those for normal zone delegation.  These agreements may be  
required to facilitate control over the validation of signing  
identities.  The validation of DKIM signing identities may involve  
keys within a domain not delegated to the domain receiving email for  
the affected signing identity.  It is possible these agreements might  
preclude the publishing of a "_domainkey" subdomain within a parent  
domain, or require keys referenced from a parent domain have the "s"  
flag set within the key's t= tag value.

-Doug