[ietf-dkim] Scalability concerns with Designated Signing Domains
fenton at cisco.com
Fri Aug 25 21:55:44 PDT 2006
Stephen Farrell wrote:
> Yep. 120 names sounds horrible. But then so would be 120 delegatees
> of whatever flavour probably.
> But I at least have no clue as to how many domains would have so
> many delegatees, versus how many would not easily be able to use
> NS delegation or key based delegation. And I see different opinions
> on the list. That's why I find it hard to see how to we can decide
> this well. (Though we will decide it well of course.)
I have yet to see concrete examples of domains that would not easily be
able to do NS delegation or key-based delegation. There seems to be an
assumption that it's easier for some domains to publish TXT records than
it is for them to publish NS records, but I haven't seen anything to
There is also an underlying assumption that SSP will be published using
TXT records, which has not been decided. I believe there are good
reasons for using a new RR for this, even though this might be yet
harder for some domains to publish at first.
>> Delegation of keys, either through publication of a selector that
>> includes a provider's public key or through delegation of a subdomain to
>> a provider, does not run into this problem.
> True. But 120 copies of the same public key is also bad, and 120 copies
> of the same private key is unthinkable (for a security type anyway:-).
> I don't personally know if 120 copies of the same key record in
> different bits of the DNS is bad, not whether 120 key records for a
> single domain is very bad. Doesn't sound good though.
The 120 delegates using key delegation can easily have have their own
distinct keys. They just sign with different selectors. Nobody is
proposing doing key delegation using the same key, AFAIK.
More information about the ietf-dkim