Viktor Dukhovni wrote: > On Sun, Aug 23, 2015 at 07:29:50PM +0200, Patrik F?ltstr?m wrote: > >> If not, we will get absolutely zero deployment of DANE with SMTP as we >> will never get 100% DNSSEC deployment. > > We already have non-zero deployment, in fact ~2000 domains now, and > soon gmx.de and web.de as announced last week. > > I think this thread needs to end, or else needs a more relevant > (to this WG) reboot. > > If you want to propose an update that requires SMTP clients to > employ DANE TLSA verification of MX hosts in signed zones even when > the MX RRset was not "secure", read the previous discussion of this > question in the list archives (yes, it has come up before) and make > a clear-cut proposal with as solid a rationale as you can. > > I am not sure this can get enough support to reach "rough consensus", > but I'm open to the possibility.
Without a signed MX there's no cryptographically secured binding between the recipient domain (right address part) and the public key used for TLS authc. So I'm strictly against this possibility and the developers of a MTA I spoke with today are also strongly against this. @Patrik: Deploying DNSSEC/DANE at large scale is not an easy job. If you drop the requirement for signed MX RRs DANE would not be worth the effort to be implemented. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
