[ietf-dkim] Delegation and Designation (#1360)
johnl at iecc.com
Thu Sep 28 23:04:07 PDT 2006
>In order to do this by key delegation, example.com would need to obtain
>a public key from exampletwo.com and publish it in its own DNS.
More likely, example.com will delegate a subzone to exampletwo.com
and let exampletwo handle all of the mechanics.
One possibility would be that they'd delegate something like
email.example.com and exampletwo would do the A and MX as well as the
keys. Another would be to delegate ex2._domainkey.example.com so they
just manage (some of) the keys. As I've noted several times, the
first scenario is very typical of large mailers using ESPs, many of
which do DK signing now.
>My opinion, if it isn't already obvious from the above discussion, is
>that designation is a flawed way of delegating signing authority.
Agreed. The main argument I've heard in favor of designation is that
some outsourced DNS services don't let you insert your own NS records,
which strikes me as a reason to find a better DNS provider, not to
design a protocol around it.
More information about the ietf-dkim