[ietf-dkim] New Thread: Use of CNAME in place of NS subdomain
fenton at cisco.com
Mon Aug 28 13:51:00 PDT 2006
Scott Kitterman wrote:
> One of the major reasons I've been promoting the idea of the third party
> authorized list/DSD is to allow smaller domains that do not have the ability
> to do subdomain NS delegation to get the effective benefit of first party
> signing. So, when I saw this:
> On Saturday 26 August 2006 23:16, Wietse Venema wrote:
>> (*) This is possible even when the signer is in a different domain.
>> All they need is the private key that matches the public key
>> in the d= DNS record. That record can, but does not have to,
>> be CNAME delegated to the signer's DNS.
> I was interested. Is a CNAME a reasonable alternative to the subdomain NS
> delegation approach that's been described previously? I don't recall this
> being mentioned before. It makes sense to me, but I certainly hadn't thought
> of it. If this is viable, it changes, somewhat, my perspective on the
> significance of the requirement that we've stopped discussing for now.
Yes, it works; I was signing my home domain's messages with a CNAMEd
selector for a while for testing. It relieves some, but not all, of the
issues with key delegation by TXT record.
The major concern I have heard with publication of a TXT record
(selector) containing a public key controlled by a delegatee is that key
rotation is awkward, since it requires coordination by the delegator and
delegatee. While a CNAME would allow the delegatee to change the key on
a selector directly, recommended practice is that a new selector name be
used (see dkim-base-05, section 3.1, last paragraph). The delegator
could pre-create a number of CNAME records for the delegatee to use, but
that still requires more coordination (albeit less frequently) than NS
And, of course, it assumes that the delegator can create CNAME records.
More information about the ietf-dkim