On Mon, Apr 16, 2018, 1:31 PM Rolf E. Sonneveld <r.e.sonnev...@sonnection.nl> wrote:
> On 16-04-18 21:39, Brandon Long via mailop wrote: > > [...] > > I think this is an interesting stance, and I'm sure you've heard the > > objections to > > this before. You don't have to trust every CA, you certainly don't need > to > > trust every > > CA for every host, and there are other tools to be used here such as cert > > transparency. > > > > Also, maybe at some point the popular DNS providers will have point & > click > > DNSSEC > > and DANE configuration, until then, I believe it's much easier for end > > users to use MTA-STS. > > Note that at our last look, none of the popular providers allowed users > to > > specify a TXT record > > large enough for a 2k DKIM key, for example. > > Here in the Netherlands many if not most providers offer DNSSEC for > their customers and most of them who do, offer a web based management > interface to add TLSA records. The .nl zone is the fourth largest ccTLD > with over 5.5 million registered domainnames [1] and some 50 percent of > it are DNSSEC secured. > > /rolf > > [1] https://stats.sidnlabs.nl/#/home Yeah, I remember Viktor had some great stats on these things, and there are definitely some European countries doing a much better job than the big three tlds. I'm looking forward to more penetration of these things. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop