Should DKIM selector names be unguessable?

dkim

I reviewed the document and found the author(s) don't understand DNS propogation of new entries. When updating old entries there are configurable cache times that can be several days. However, new entries need to be fetched from the authoritative name servers before the can be cached.

If keys are being rotated by the suggested process of rotating keys behind three CNAMEs, the there may be significant delays while cached entries are updated. This can be mitigated by dropping the TTL on record to be updated in the period before it is updated. The CNAME rotations may also be problematic in the case an emergency key rotation is required.

Randomizing the key names does provide some small measure of protection against the public key being retrieved in advance of use. Once the key is in use, I would assume that it could have been harvested for the purpose of generating an alternate signing key.

Related

Alternative to nvidia-settings GpuPowerMizerMode in Ubuntu?
GCP - VM instance missing
Fedora can't find MySQL service
How do I fix Apache AH00132 Error? [closed]
Disabling auto-login via gpedit?
fail2ban detects the attacker IP but doesn't ban it, and is slow reading logs
user that exists doesn't exist when setting chroot with usermod
mail works, but sendmail doesn't! (Postfix)
FaceTime, iCloud and iMessage in China
How to Stop Website Requests for Location
How can I run AirDrop from the Dock?
How can I query the hardware UUID of a Mac programmatically from a command line?