[ietf-dkim] Requirement clarification: NS delegation

Michael Thomas mike at mtcc.com
Wed Aug 9 11:11:44 PDT 2006 

Change 1: done.
Change 2: folded into the next paragraph which has other concerns about 
the NS approach.

       Mike

Scott Kitterman wrote:

>***************
>*** 368,374 ****
>     That said, DKIM uses DNS to store selectors.  Thus there is always
>     the ability for a domain holder to delegate all or parts of the
>     _domainkey subdomain to a third party of the domain holder's
>!    choosing.  That is, the domain holder can always set a NS record for
>     _domainkey.example.com to, say, an email provider who manages that
>     namespace.  There is also the ability for the domain holder to
>     partition its namespace into subdomains to further constrain how
>--- 369,375 ----
>     That said, DKIM uses DNS to store selectors.  Thus there is always
>     the ability for a domain holder to delegate all or parts of the
>     _domainkey subdomain to a third party of the domain holder's
>!    choosing.  That is, the domain holder may be able to set a NS record for
>     _domainkey.example.com to, say, an email provider who manages that
>     namespace.  There is also the ability for the domain holder to
>     partition its namespace into subdomains to further constrain how
>***************
>*** 377,382 ****
>--- 378,387 ----
>     the third party to only be able to sign messages on behalf of the
>     benefits subdomain.
>
>+            [INFORMATIVE NOTE: Not all DNS providers support separate
>+            NS records for subdomains, so this approach is not universally
>+            available.]
>+
>     There have been concerns expressed about how well this would scale
>     when the third party is, say, a large ISP that signs for thousands of
>     domains.  There has been concern about how well this would work for
>***************
>
>Since this scenario is aimed primarily at small non-technical domain owners 
>(who would be the most likely to outsource DNS services also) I think it is 
>important to point out that not all DNS providers support subdomain NS 
>delegation (personally, I mostly use two providers - one supports it, the 
>other doesn't).  It is another reason why NS delegation is not a complete 
>solution.
>
>Scott K
>_______________________________________________
>NOTE WELL: This list operates according to 
>http://mipassoc.org/dkim/ietf-list-rules.html
>  
>

More information about the ietf-dkim mailing list