[ietf-dkim] New Thread: Use of CNAME in place of NS subdomain
delegation
Douglas Otis
dotis at mail-abuse.org
Mon Aug 28 15:16:28 PDT 2006
On Aug 28, 2006, at 2:48 PM, Wietse Venema wrote:
>
> Michael Thomas:
>> That assumes you know what the operator will name the new
>> selectors -- that seems a bit problematic in the large, but for
>> some situations might be ok. I didn't even realize the Jim was
>> using CNAME's for his selectors...
>
> For long-term applications, the need to pre-create
> selector2006/2007/etc. is an inconvenience. For short-term
> applications, however, a CNAME may have more benefits. It allows a
> site maintain control over what names are delegated. With
> delegation of an entire DNS subtree there is less control over the
> delegated name space.
A CNAME outside DNS also comes at the expense of adding a DNS
transaction and a point of failure. A CNAME transcription error used
at some point in the future may take a while to resolve when it does
become problem. This may be difficult to resolve when the CNAME
appears to point to a valid key. Scaling may create namespace
densities where such errors are not always apparent and could be
induced by either the provider or the domain owner. It is not as
simple as put these CNAMES "here" pointing "there", the g=, s=, t=
and TTL are also details a domain owner may wish to be able to alter.
-Doug
More information about the ietf-dkim
mailing list