Good draft - got it to work quite easily; excelent examples in the draft, that does help. However.. ideally one would like the keys to be relatively short (i.e. ensure it easily fits in the UDP reply; along with other dns info; and in order to keep calculation times on todays HW resonable). This implies strongly that one wants to do key roll over. Would it be an idea to extend the proposal to -> Allow multiple (or at least 2) DomainKey-Signature: blocks if needed along with something like: " The signature of the email is stored in the "DomainKey-Signature:" header. This header contains all of the signature and key-fetching data. In order to allow for key rollover There MUST be at least one DomainKey-Signature but more MAY be present. If multiple DomainKey-Signature are present then the receiving MTA MUST verify each of them in the order received until one of them verifies correctly. " Alternatively one could allow multiple TXT replies; but this makes it sure to violate the UDP size limit. Also - if the keys are < 500 bits or so - roll over would be very frequent - hence easily leading to long periods in which this UDP limit would be violated. Cheers, Dw _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf