Deployment news (comcast.net publishes TLSA RRs)
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Nov 21 03:42:01 CET 2015
On Fri, Nov 20, 2015 at 09:12:49PM -0500, Patrick Domack wrote:
> I have been attempting to push more people to use dane, but it is hard.
>
> More and more server admins keep asking to not send email to their domains
> without tls verification or certificate pinning, but none of them have heard
> of dane. Most don't even have dnssec even.
Thanks for helping get the message out. Yes, it is difficult to
get initial momentum. Still, certificate pinning scales exceedingly
poorly, so it is worth trying.
This is still fairly early in the adoption cycle. I need to get
DANE TLS adopted into OpenSSL. Some initial code is awaiting
internal team review... It will be important to see DANE support
in more than Postfix and early adopter releases of Exim.
The folks publishing TLSA records need only DNSSEC and some
operational discipline, no need (at the same time) to deploy an
MTA that can verify such records. They may need better DNSSEC
tools. IIRC Microsoft significantly enhanced DNSSEC support in
recent releases of ActiveDirectory.
Adoption has grown from a hundred or so domains last summer to
thousands now, but mostly small domains. I hope momentum will pick
up once web.de and gmx.de go live.
--
Viktor.
More information about the dane-users
mailing list