Viktor Dukhovni пишет: > Domains with wildcard MX records that want active-attack resistant > SMTP transport security should do DANE. I may be wrong (please correct me), but as far as I can see, DANE does not provide any additional caching mechanism and relies on DNS caching only. DNS caching is usually very limited in time (e.g. 7 days by default in bind, 1 day in Microsoft DNS server, see max_cache_ttl / MaxCacheTtl and even less for local caching) and DANE does not explains what to do if TLSA records lookup fails due to MitM. For me, DANE is a way to avoid authentication with public CA infrastructure (it sounds funny, but currently public CA infrastructure is not protected against even passive MitM, because domain validation process is vulnerable to MitM) but DANE does not replace STS in any way, because long time policy caching is a main feature of STS.
That's additional reason for subdomains in STS, because it increases a change for policy to be obtained from cache. -- Vladimir Dubrovin @Mail.Ru _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
