> On Feb 3, 2019, at 11:28 PM, Alice Wonder via Exim-users
> <[email protected]> wrote:
>
> Some don't want to have coordinate certificates with fingerprints in TLSA
> records,
> as more hosting providers provide DNSSEC just by default when you use their
> DNS as
> well, MTA-STS may be easier than new fingerprint from keypair every time
> generating
> new key.
The same providers that have DNSSEC on by default often also have DANE-enabled
MX
hosts, e.g. most notably one.com, but also transip.nl, domeneshop.no, ...
The job of keeping TLSA records up to date falls on the MX host operator, not
on the domain operator, so for example, one.com has to manage only a couple of
dozen TLSA RRs (to cover their various MX clusters) and thereby enable DANE for
presently ~674k domains.
> And some distribution of Exim ship without DANE enabled at build-time.
> Fedora, for example. Not sure why.
>
> But I agree DANE for SMTP is better.
Well, we architect for a horizon somewhat beyond the present moment, so we
can wait a bit and see how this plays out.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
