Am 23. Mai 2018 07:54:41 MESZ schrieb Viktor Dukhovni via Exim-users <[email protected]>: >Yes, actually, the base specification is from late 2012,
just to clearify me a bit: DNSSEC (as a requirement for DANE spec.) is 20 years old now and as such it is far from "young" and - in practice - "widely outdated" by design, before it was and/or will be ever "really deployed". It was one of the first tries to "gover" a spec down "from the top" (ICANN etc.) and without this pressure, nearly no one would use / provide it today - but until today only a part of the TLDs (registries and/or registrars) provide it and many others that and still have problems in run it properly, leading to disable DNSSEC in parts or completely even in large company networks. If a german gov states DANE implicitely as a requirement for Email services (what is the case if the BSI gives such a statement) this leads to mich less, but large mass mail providers which are much easier "to handle" by the gov and his services then a classical Internet infrastructure service. >From a practical (i know the theory too) security view DANE "by" DNSSEC is >much less useful then in theory and compared to other usual / even more modern >technologies / standards (which are easier to deploy at any level, even >required with DNSSEC and depend less from complex trust in many (not free to >choose) parties. I have no prob if someone decide to use DANE - i have a problem if a gov forces internet users / providers to deploy it (even implicitely as the BSI here) by law. best regards, Niels. -- Niels Dettenbach Syndicat IT & Internet http://www.Syndicat.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
