Using CNAME for _domainkey (DKIM)
Greg Choules
gregchoules+bindusers at googlemail.com
Mon Feb 24 11:22:47 UTC 2025
My 2p is...
You *shouldn't* do a lot of things, but people do anyway, because they can.
If you maintain your own DKIM records then deliberately adding a CNAME
upfront seems unnecessarily complicated. KISS.
If someone else hosts them and CNAME is a pragmatic way to achieve that
"ask them" behaviour, then maybe OK. But beware the possible future problem
of dangling CNAMEs, where the domain they redirect to has expired and been
bought by someone else with darker purposes in mind.
FTR, CNAME records *cannot* co-exist with any other record type of the same
name.
Cheers, Greg
On Mon, 24 Feb 2025 at 10:59, Danilo Godec via bind-users <
bind-users at lists.isc.org> wrote:
> Hello,
>
>
> apparently one shouldn't use CNAMEs for 'delegating' _domainkey records
> to another DNS server, but I see that some email service vendors use
> that - they have their customers add a CNAME pointing to their TXT
> record (one recent example that I was dealing with is atlassian.net
> (
> https://accessplanit.atlassian.net/wiki/spaces/HG/pages/417005970/SPF+DKIM+SMTP+Prevent+your+system+emails+being+caught+by+spam+filters)
>
> - probably so that they can rollover their DKIM keys without their
> customers needing to do anything.
>
>
> I know that CNAME records can clash with other essential (MX, A, ...)
> records, but since a _domainkey subzone is quite specific and unlikely
> to be used for anything else, this should still work, right?
>
> Or should I consider this an absolute 'no-no' and have my 'customers'
> add the complete TXT record?
>
>
> Regards,
>
> Danilo
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250224/3e915606/attachment.htm>
More information about the bind-users
mailing list