*************** *** 368,374 **** That said, DKIM uses DNS to store selectors. Thus there is always the ability for a domain holder to delegate all or parts of the _domainkey subdomain to a third party of the domain holder's ! choosing. That is, the domain holder can always set a NS record for _domainkey.example.com to, say, an email provider who manages that namespace. There is also the ability for the domain holder to partition its namespace into subdomains to further constrain how --- 369,375 ---- That said, DKIM uses DNS to store selectors. Thus there is always the ability for a domain holder to delegate all or parts of the _domainkey subdomain to a third party of the domain holder's ! choosing. That is, the domain holder may be able to set a NS record for _domainkey.example.com to, say, an email provider who manages that namespace. There is also the ability for the domain holder to partition its namespace into subdomains to further constrain how *************** *** 377,382 **** --- 378,387 ---- the third party to only be able to sign messages on behalf of the benefits subdomain.
+ [INFORMATIVE NOTE: Not all DNS providers support separate + NS records for subdomains, so this approach is not universally + available.] + There have been concerns expressed about how well this would scale when the third party is, say, a large ISP that signs for thousands of domains. There has been concern about how well this would work for *************** Since this scenario is aimed primarily at small non-technical domain owners (who would be the most likely to outsource DNS services also) I think it is important to point out that not all DNS providers support subdomain NS delegation (personally, I mostly use two providers - one supports it, the other doesn't). It is another reason why NS delegation is not a complete solution. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html