[ietf-dkim] New Thread: Use of CNAME in place of NS
subdomain delegation
Eric Allman
eric+dkim at sendmail.org
Mon Aug 28 14:27:53 PDT 2006
>> ... [discussion of CNAME]
>>
> Yes, it works; I was signing my home domain's messages with a CNAMEd
> selector for a while for testing. It relieves some, but not all,
> of the issues with key delegation by TXT record.
>
> The major concern I have heard with publication of a TXT record
> (selector) containing a public key controlled by a delegatee is
> that key rotation is awkward, since it requires coordination by the
> delegator and delegatee. While a CNAME would allow the delegatee
> to change the key on a selector directly, recommended practice is
> that a new selector name be used (see dkim-base-05, section 3.1,
> last paragraph). The delegator could pre-create a number of CNAME
> records for the delegatee to use, but that still requires more
> coordination (albeit less frequently) than NS delegation.
The delegator could also hand over a subset of the namespace, e.g.,
using
delegatee._domainkey.delegator.com. IN CNAME
delegatee._domainkey.delegatee.com.
(wrapping for readability only).
eric
More information about the ietf-dkim
mailing list