On May 14, 2018, at 5:15 AM, Daniel Margolis <[email protected]> wrote:
> I tend to agree about the security reasoning (i.e., that having
> the TXT provide indirection to the Policy Host introduces no real
> risks),
Allowing the TXT record do specify the authority domain of
the MTA-STS policy URL would allow any party in control of
some HTTPS endpoint in the domain to forge the domain's MTA-STS
policy, provided they are able to MiTM the lookup of the TXT
record. I think this needlessly weakens MTA-STS security.
So I don't think we have the option of a dynamic policy URL
authority. It is either "mta-sts.example.com" (or some similar
name) or just "example.com" (zone apex with no "conventional"
label prefix).
--
Viktor.
P.S. As to the 205k domains, they are all DNSSEC-signed have
DANE-enabled MX hosts, and are all direct (one label) sub-domains
of a public suffix list domain. Some organizations have email
addresses in sub-domains, I don't track any of those. And many
of the 205k domains with MX hosts at the large providers are
parked.
A more representative survey might be the domains published in
Gmail's transparency report, with the scope possibly expanded to
include more domains that receive less mail than the cut-off for
making that list.
I still would not expect to find "mta-sts" used outside the
early pilot domains for this draft.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
