[ietf-dkim] Re: Last Call: 'DomainKeys Identified Mail
(DKIM)Signatures' to Proposed Standard (draft-ietf-dkim-base)
pbaker at verisign.com
Sun Nov 19 07:11:18 PST 2006
> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Cullen Jennings
> On Nov 14, 2006, at 11:03 AM, Paul Hoffman wrote:
> > At 4:17 PM +0100 11/14/06, Joe Abley wrote:
> >> For the benefit of those who do not follow dnsext closely, what
> >> friction do you expect?
> > As Eric stated in his message, we should not rehash old arguments.
> > This has been beaten to death on the DKIM WG mailing list. As
> > expected, different people had different (and, in this case,
> > strongly-held) views, but consensus was reached and agreed
> to by the
> > AD and with the DNS folks.
> To avoid repeating this debate, can someone post some summary
> information on this particularly including which exact people
> came to consensus about this. I'm particularly interested in
> if the consensus included the contributors to
> draft-iab-dns-choices since that has been raised in LC comments.
Choices sets out four possibilities for extending the use of the DNS and sets out pros and cons for each.
The DKIM group has taken account of this information and has noted that since key records do not require wildcard capability the third option of prefix records is most appropriate since they provide all the functionality required and are compatible with the DNS infrastructure as deployed.
The use of a new DNS RR is being considered for policy records which do require wildcard capability.
It is somewhat unfortunate that the choices draft does not take a more realistic approach to deployment constraints. This has been raised on numerous occasions but the fact is that the best information we have available is the information presented during the MARID working group which indicated that at the time only 50% of the deployed DNS infrastructure does in fact support new RRs in a production mode (i.e. you can add the RR using the standard admin tool and the configuration will survive a reboot). Things may have changed since but the onus should be on those who claim the situation has changed to prove it.
In terms of consensus I don't think anyone would challenge the claim 'DKIM key records do not require prefixes'.
I believe that there is also universal consensus amongst those who have read choices and DKIM that the limitations of prefix records set out in the draft do not apply.
The only points on which there is disagreement are the question of the extent to which the deployed DNS infrastructure really supports new RRs and whether this would be a significant handicap in the case of DKIM deployment.
The first point is an empirical one, the second is subjective. We agree to disagree.
More information about the ietf-dkim