On Sun, Aug 23, 2015 at 07:29:50PM +0200, Patrik F?ltstr?m wrote:
> If not, we will get absolutely zero deployment of DANE with SMTP as we
> will never get 100% DNSSEC deployment.
We already have non-zero deployment, in fact ~2000 domains now, and
soon gmx.de and web.de as announced last week.
I think this thread needs to end, or else needs a more relevant
(to this WG) reboot.
If you want to propose an update that requires SMTP clients to
employ DANE TLSA verification of MX hosts in signed zones even when
the MX RRset was not "secure", read the previous discussion of this
question in the list archives (yes, it has come up before) and make
a clear-cut proposal with as solid a rationale as you can.
I am not sure this can get enough support to reach "rough consensus",
but I'm open to the possibility. If we don't misrepresent the
resulting security, it may be an acceptable deterrent to downgrade
attacks against the MX host when for some reason the attack is
unable or reluctant to tamper with DNS.
I'll survey the larger providers on this question at M3AAWG in
Atlanta in October. In the mean-time we're making progress on
deploying DANE for SMTP as specified in the draft (upcoming RFC).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
