Re: Using CNAME for _domainkey (DKIM)

Mon, 24 Feb 2025 03:23:34 -0800 

My 2p is...
You *shouldn't* do a lot of things, but people do anyway, because they can.

If you maintain your own DKIM records then deliberately adding a CNAME
upfront seems unnecessarily complicated. KISS.

If someone else hosts them and CNAME is a pragmatic way to achieve that
"ask them" behaviour, then maybe OK. But beware the possible future problem
of dangling CNAMEs, where the domain they redirect to has expired and been
bought by someone else with darker purposes in mind.

FTR, CNAME records *cannot* co-exist with any other record type of the same
name.

Cheers, Greg

On Mon, 24 Feb 2025 at 10:59, Danilo Godec via bind-users <
bind-users@lists.isc.org> wrote:

> Hello,
>
>
> apparently one shouldn't use CNAMEs for 'delegating' _domainkey records
> to another DNS server, but I see that some email service vendors use
> that - they have their customers add a CNAME pointing to their TXT
> record (one recent example that I was dealing with is atlassian.net
> (
> https://accessplanit.atlassian.net/wiki/spaces/HG/pages/417005970/SPF+DKIM+SMTP+Prevent+your+system+emails+being+caught+by+spam+filters)
>
> - probably so that they can rollover their DKIM keys without their
> customers needing to do anything.
>
>
> I know that CNAME records can clash with other essential (MX, A, ...)
> records, but since a _domainkey subzone is quite specific and unlikely
> to be used for anything else, this should still work, right?
>
> Or should I consider this an absolute 'no-no' and have my 'customers'
> add the complete TXT record?
>
>
>      Regards,
>
>      Danilo
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to