Mark Andrews <[email protected]> writes: > If the site you want to email only has broken TLSA records, get > them on the phone to fix the problem.
I agree with you, that's the ideal right solution! However, the world is a bit bigger than you can safely war-dial with a problem. This has been proven time and time again by the slow role out of every protocol on the planet. EG, apparently not enough phone calls have been made to the recursive resolvers of every ISP that fail to turn on DNSSEC validation. It's simply not scalable to fall back to a phone call, or even automated email. If we could, indeed, convince the world to upgrade quickly just by contacting them, we wouldn't have a BCP38 problems, spam problems, IPv4 address space problems, and insecure algorithms in use problems. But we very very much do. Otherwise, shouldn't we also call every SMTP service provider for every zone and tell them to turn on TLS? We haven't done that either (nor will anyone). So, the alternative is to have a sliding roll-out that can support the case where 50% of the world is in a new state and 50% is in the old state. Opportunistic turning-on of anything results in "when both parties support it, it magically happens". That includes both the DANE/SMTP protocol itself, as well as the algorithm selection by preferring a stronger one over a weaker one, but not stopping delivery to the 50% of the world that hasn't switched yet. The world has yet to succeed in a single flag day for any protocol. Not one. -- Wes Hardaker Parsons _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
