On Thu 03/Dec/2015 21:59:32 +0100 Harald Alvestrand wrote: > The "technical omission" here is "using 6186 together with mail servers > supporting a high number of domains is going to be painful, and this > document doesn't say how to solve it". Painful = non-zeroconf, but why?. An easy way to host 50,000 email domains without DNSSEC is to redirect them all to the same SRV targets. A few certificates suffice. The client-side "oneconf" setup should then ask: Is your mail hosted by <mail.example>? [confirm] [deny] Possibly, it would also recall that property upon request. I wouldn't call "painful" getting such awareness, I'd be grateful. IMHO, the above way is better than defining 50,000 email servers without proper certificates, or without DNSSEC. Can the I-D say so? Ale