Sneaky ;-)

On Fri, Jun 26, 2026 at 4:35 PM John R Levine <[email protected]> wrote:

> On Fri, 26 Jun 2026, Bob Traverz wrote:
> >> Indeed.  MTA-STS is basically an end run around DNSSEC TLSA, because at
> >> least one large mail provider doesn't sign its DNS.
> >
> > I can see that. Did that email provider implement MTA-STS?
>
> $ curl https://mta-sts.gmail.com/.well-known/mta-sts.txt
> version: STSv1
> mode: enforce
> mx: smtp.google.com
> mx: gmail-smtp-in.l.google.com
> mx: *.gmail-smtp-in.l.google.com
> max_age: 86400
>
> % curl https://mta-sts.outlook.com/.well-known/mta-sts.txt
> version: STSv1
> mode: enforce
> mx: *.olc.protection.outlook.com
> max_age: 604800
>
> $ curl https://mta-sts.yahoo.com/.well-known/mta-sts.txt
> version: STSv1
> mode: testing
> mx: *.am0.yahoodns.net
> mx: *.mail.gm0.yahoodns.net
> mx: *.mail.am0.yahoodns.net
> max_age: 86400
>
> $ curl https://mta-sts.comcast.net/.well-known/mta-sts.txt
> version: STSv1
> mode: enforce
> mx: mx2c1.comcast.net
> mx: mx2h1.comcast.net
> mx: mx1a1.comcast.net
> mx: mx1h1.comcast.net
> mx: mx1c1.comcast.net
> mx: mx2a1.comcast.net
> mx: mx1.ge.comcast.net
> mx: mx2.ge.comcast.net
> mx: mx1.mxge.comcast.net
> mx: mx2.mxge.comcast.net
>
>
>
> >
> > Regards,
> >
> > Bob Traverz
> >
> >
> > On Fri, Jun 26, 2026 at 12:51 PM John R Levine <[email protected]> wrote:
> >
> >> On Fri, 26 Jun 2026, Bob Traverz wrote:
> >>> With respect to the DKA discussion, I’d run the “edge-case” test to
> test
> >> if
> >>> a proposed architecture makes sense. Does a domain, to have a DKA,
> >>> necessarily require a website or other HTTPS assets? If not, there is
> no
> >>> inherent dependency between a website and a DKA. Forcing a domain to
> have
> >>> an “A” record designating a Https resource just to run a .well-known
> URL
> >>> that delivers another endpoint is simply an end-run around the DNS.
> Feels
> >>> like a hack rather than a well-designed architecture.
> >>
> >> Indeed.  MTA-STS is basically an end run around DNSSEC TLSA, because at
> >> least one large mail provider doesn't sign its DNS.
> >>
> >> You know, all you really need to do is pick a name like dka-server and
> say
> >> that the server for example.com is at https://dka-server.example.com.
> >> All
> >> done.  If you want to outsource your key server to a shared service, you
> >> know what CNAMEs are.
> >>
> >> R's,
> >> John
> >>
> >
>
> Regards,
> John Levine, [email protected], Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to