On Fri, Apr 22, 2016 at 11:39:01AM +0200, [email protected] wrote:
> >>The web.de domain has just published DANE TLSA records for its MX
> >>hosts.
> >
> >And today also the rest of the major 1&1 (Mail&Media) email domains:
> >
> > gmx.de ...
> >
> >>This is a major milestone in DANE adoption. [ IIRC they host
> >>mailboxes for a substantial fraction of the population of Germany. ]
>
> Congratulation, good work in pushing a useful security standard forward.
Thanks. It's taken a bunch of work behind the scenes.
> Do you some information if they are also doing DANE outbound?
I've not asked yet. I expect that they will soon, if they've not
already. It would be great if they posted some operational experience
of how this affected their outbound mail flow.
DANE is still quite new, and so some bumps in the road are to be
expected. I've smoothed out many of the larger ones in the DNSSEC
space (notified DNS operators of issues to fix that then got fixed),
and also managed to help many an early adopter to get key rotation
right.
So today, out of the ~300,000 DANE-capable domains (DNSSEC signed
and MX hosting not outsourced to an unsigned domain) that I've been
able to find, ~15,000 have TLSA RRs, while ~200 still have some
DNS issues and ~50 have invalid TLSA records. Just one MX host is
doggedly sticking with PKIX-EE(1) TLSA records despite RFC7672 and
my attempts to reason with the operator:
dougbarton.us. IN MX 10 dougbarton.us
So overall, the deployment picture picture is pretty good. I've
not heard of any significant issues from posteo.de, they I believe
have enabled DANE outbound some time ago.
On the DNS front, while progress is slow, I still expect the number
of problem domains to fall as more DNS providers upgrade or remediate
their systems.
Next on the list are isphuset.no and axc.nl, with the former
responsive, but very slow (ticket open since Aug/2015) and the
latter as yet unresponsive. Help appreciated from anyone who has
a working relationship with either provider, particularly axc.nl.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
