[ietf-dkim] 1360, "delegation" vs "designation".
Douglas Otis
dotis at mail-abuse.org
Mon Oct 16 15:35:09 PDT 2006
On Oct 16, 2006, at 1:20 PM, Scott Kitterman wrote:
> On Monday 16 October 2006 15:12, Douglas Otis wrote:
>
>> 4) Customer signing requires unique keys rather than unique sub-
>> domains.
>
> Not to belabor the overall issue, but this particular point is
> inaccurate. I've done it single key with multiple customer domains
> and no NS delegation.
You are right. However, technically both designation and the CNAME
approach are still seen as providing different keys. Signing
referenced from different sub-domains unique to customers can also
use a common private key. In the case of the designation approach,
the provider fully controls the publishing of the keys. With the
CNAME approach, the provider depends upon the customer to create
proper references.
Assuming a reference to policy is avoided with the CNAME approach,
then both techniques require the same DNS overhead. Two transactions
to resolve the CNAME indirection, or one to directly obtain the key,
and another to obtain a designation policy. The difference is fairly
minor from an implementation standpoint, but dramatically different
from an administrative standpoint.
-Doug
More information about the ietf-dkim
mailing list