On 16-04-18 21:39, Brandon Long via mailop wrote:
I think this is an interesting stance, and I'm sure you've heard the
this before. You don't have to trust every CA, you certainly don't need to
CA for every host, and there are other tools to be used here such as cert
Also, maybe at some point the popular DNS providers will have point & click
and DANE configuration, until then, I believe it's much easier for end
users to use MTA-STS.
Note that at our last look, none of the popular providers allowed users to
specify a TXT record
large enough for a 2k DKIM key, for example.
Here in the Netherlands many if not most providers offer DNSSEC for
their customers and most of them who do, offer a web based management
interface to add TLSA records. The .nl zone is the fourth largest ccTLD
with over 5.5 million registered domainnames  and some 50 percent of
it are DNSSEC secured.
mailop mailing list