Deployment news (comcast.net publishes TLSA RRs)

[Patrick Domack]

Quoting Viktor Dukhovni <ietf-dane at dukhovni.org>:

> On Fri, Nov 20, 2015 at 09:12:49PM -0500, Patrick Domack wrote:
>
>> I have been attempting to push more people to use dane, but it is hard.
>>
>> More and more server admins keep asking to not send email to their domains
>> without tls verification or certificate pinning, but none of them have heard
>> of dane. Most don't even have dnssec even.
>
> Thanks for helping get the message out.  Yes, it is difficult to
> get initial momentum.  Still, certificate pinning scales exceedingly
> poorly, so it is worth trying.
>
> This is still fairly early in the adoption cycle.  I need to get
> DANE TLS adopted into OpenSSL.  Some initial code is awaiting
> internal team review...  It will be important to see DANE support
> in more than Postfix and early adopter releases of Exim.
>
> The folks publishing TLSA records need only DNSSEC and some
> operational discipline, no need (at the same time) to deploy an
> MTA that can verify such records.  They may need better DNSSEC
> tools.  IIRC Microsoft significantly enhanced DNSSEC support in
> recent releases of ActiveDirectory.
>
> Adoption has grown from a hundred or so domains last summer to
> thousands now, but mostly small domains.  I hope momentum will pick
> up once web.de and gmx.de go live.

Yes, I have noticed it is a big movement in germany. Have had a lot of  
people asking for help on setting up dane the last few months from  
there. But can't get any movement that is noticable here in the usa.