>>>>> "John" == John C Klensin <john-ietf@xxxxxxx> writes: John> one cannot presume a trust relationship between John> example.com. and example.foo.: all DNSSEC validation of the John> CNAME proves is that the record is intact. In particular, it John> doesn't indicate that example.com has given permission for the John> alias nor that there is any real relationship between the John> names from a trust standpoint. I hope that is clear; if it is John> not, note that transform(example-2@xxxxxxxxxxx.) IN CNAME John> transform(example@xxxxxxxxxxxxxxxx.) would validate equally John> well (and would validate whether evil.example.org actually John> exists). That's clear, but I don't understand why I care. If we except the premis that the folks running the DNS for example.foo. should be able to make assertions about which PGP keys to trust for email addresses ending in example.foo., why do we care what example.com. thinks of the matter? If example.foo. wants to delegate trust in a key, what's wrong with them doing so. It seems reasonable for example.foo. to say they trust the folks over at example.com. to stick the right key in DNS. So, I see no reason why example.com should need to validate the alias. This does mean that example.foo. can publish dns records, and if those records are trusted they can cause their users to get encrypted mail that the users cannot read. It seems like example.foo. can break email for example.foo. by publishing a variety of DNS records and that's nothing new.