On Tue, Jun 9, 2015 at 12:42 PM, Viktor Dukhovni <[email protected]> wrote: > On Tue, Jun 09, 2015 at 06:26:27PM +0200, A. Schulze wrote: > >> Barry Leiba encourage me to write this "it works" message. > > Thanks for the confirmation. > >> OK, the total number of DNSSEC enabled destinations is small. Really small. >> But for these destinations we're simply sure we transfer message securely to >> the right receiver. >> >> YES, >> - it works >> - it does not hurt > > Still increasing gradually. I have curated ~1400 domains now, but > only 19 of them are "large enough" to be listed in the TLS statistics > in Google's email transparency report. That much smaller number > is also rising gradually, just a few months ago it was 13. > > I hope that once the SMTP, SRV and "ops" drafts are published RFCs, > the adoption rate will pick up. > > It would also be nice to see even fewer of the early adopters > messing up key rotation (forgetting to update TLSA RRs when > replacing certs).
Something that I have found is useful for things like this is to inset a large comment in the MTA config file saying something like: # ************************************************* # NOTE NOTE NOTE NOTE NOTE NOTE # # Don't forget to update the TLSA record # when replacing this certificate, or you will # look like a dumdum... #************************************************* right above the smtpd_tls_cert_file = (or equivalent) line. That way I'm (hopefully!) sure to notice and remember... > > The number of broken domains is only small, because I send alerts > now and then to the domains that get it wrong. Thank you -- this seems to have made a significant difference. > Fully automating this > is on the TODO list, but cycles are scarce. Fair enough, W > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
