Sneaky ;-) On Fri, Jun 26, 2026 at 4:35 PM John R Levine <[email protected]> wrote:
> On Fri, 26 Jun 2026, Bob Traverz wrote: > >> Indeed. MTA-STS is basically an end run around DNSSEC TLSA, because at > >> least one large mail provider doesn't sign its DNS. > > > > I can see that. Did that email provider implement MTA-STS? > > $ curl https://mta-sts.gmail.com/.well-known/mta-sts.txt > version: STSv1 > mode: enforce > mx: smtp.google.com > mx: gmail-smtp-in.l.google.com > mx: *.gmail-smtp-in.l.google.com > max_age: 86400 > > % curl https://mta-sts.outlook.com/.well-known/mta-sts.txt > version: STSv1 > mode: enforce > mx: *.olc.protection.outlook.com > max_age: 604800 > > $ curl https://mta-sts.yahoo.com/.well-known/mta-sts.txt > version: STSv1 > mode: testing > mx: *.am0.yahoodns.net > mx: *.mail.gm0.yahoodns.net > mx: *.mail.am0.yahoodns.net > max_age: 86400 > > $ curl https://mta-sts.comcast.net/.well-known/mta-sts.txt > version: STSv1 > mode: enforce > mx: mx2c1.comcast.net > mx: mx2h1.comcast.net > mx: mx1a1.comcast.net > mx: mx1h1.comcast.net > mx: mx1c1.comcast.net > mx: mx2a1.comcast.net > mx: mx1.ge.comcast.net > mx: mx2.ge.comcast.net > mx: mx1.mxge.comcast.net > mx: mx2.mxge.comcast.net > > > > > > > Regards, > > > > Bob Traverz > > > > > > On Fri, Jun 26, 2026 at 12:51 PM John R Levine <[email protected]> wrote: > > > >> On Fri, 26 Jun 2026, Bob Traverz wrote: > >>> With respect to the DKA discussion, I’d run the “edge-case” test to > test > >> if > >>> a proposed architecture makes sense. Does a domain, to have a DKA, > >>> necessarily require a website or other HTTPS assets? If not, there is > no > >>> inherent dependency between a website and a DKA. Forcing a domain to > have > >>> an “A” record designating a Https resource just to run a .well-known > URL > >>> that delivers another endpoint is simply an end-run around the DNS. > Feels > >>> like a hack rather than a well-designed architecture. > >> > >> Indeed. MTA-STS is basically an end run around DNSSEC TLSA, because at > >> least one large mail provider doesn't sign its DNS. > >> > >> You know, all you really need to do is pick a name like dka-server and > say > >> that the server for example.com is at https://dka-server.example.com. > >> All > >> done. If you want to outsource your key server to a shared service, you > >> know what CNAMEs are. > >> > >> R's, > >> John > >> > > > > Regards, > John Levine, [email protected], Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
