On Wed, Nov 07, 2018 at 10:41:29AM +0100, Daniel Margolis wrote:
> In particular, it seems to only apply in the case
> where the MX is on a zone that can't/won't do DNSSEC but the mailbox domain
> does do DNSSEC (thus DANE doesn't work).
Yes, and there are millions of domains in this bucket.
> This isn't necessarily uncommon
> (as small domains hosting their mail on e.g. GSuite may be in exactly such
> a situation), but if that's the primary application, maybe the "reverse
> proxy" method is in fact just as easy, no?
Well, the reverse proxy still imposes a small burden on the receiving
domain, but perhaps the main benefit would be for sending MTAs,
which could get both stateless MTA-STS functionality (no cache to
maintain for the DNSSEC-signed domains that include a "mode" in
ther signed text record) and downgrade protection on first contact.
The WebPKI vs. DANE/DNSSEC roots of trust are then the final
distinction between this hypothetical model and DANE.
Not sure whether this half-way point between MTA-STS and DANE
warrants standardizing with a view to broad implementation. It
rather depends on whether the dominant MX-hosting providers will
over the next 5-10 years gradually also get DNSSEC signed and enable
DANE or not.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
