On 16-04-18 21:39, Brandon Long via mailop wrote:

[...]
I think this is an interesting stance, and I'm sure you've heard the
objections to
this before.  You don't have to trust every CA, you certainly don't need to
trust every
CA for every host, and there are other tools to be used here such as cert
transparency.

Also, maybe at some point the popular DNS providers will have point & click
DNSSEC
and DANE configuration, until then, I believe it's much easier for end
users to use MTA-STS.
Note that at our last look, none of the popular providers allowed users to
specify a TXT record
large enough for a 2k DKIM key, for example.

Here in the Netherlands many if not most providers offer DNSSEC for their customers and most of them who do, offer a web based management interface to add TLSA records. The .nl zone is the fourth largest ccTLD with over 5.5 million registered domainnames [1] and some 50 percent of it are DNSSEC secured.

/rolf

[1] https://stats.sidnlabs.nl/#/home


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to