Deployment news (comcast.net publishes TLSA RRs)
patrickdk at patrickdk.com
Sat Nov 21 03:48:43 CET 2015
Quoting Viktor Dukhovni <ietf-dane at dukhovni.org>:
> On Fri, Nov 20, 2015 at 09:12:49PM -0500, Patrick Domack wrote:
>> I have been attempting to push more people to use dane, but it is hard.
>> More and more server admins keep asking to not send email to their domains
>> without tls verification or certificate pinning, but none of them have heard
>> of dane. Most don't even have dnssec even.
> Thanks for helping get the message out. Yes, it is difficult to
> get initial momentum. Still, certificate pinning scales exceedingly
> poorly, so it is worth trying.
> This is still fairly early in the adoption cycle. I need to get
> DANE TLS adopted into OpenSSL. Some initial code is awaiting
> internal team review... It will be important to see DANE support
> in more than Postfix and early adopter releases of Exim.
> The folks publishing TLSA records need only DNSSEC and some
> operational discipline, no need (at the same time) to deploy an
> MTA that can verify such records. They may need better DNSSEC
> tools. IIRC Microsoft significantly enhanced DNSSEC support in
> recent releases of ActiveDirectory.
> Adoption has grown from a hundred or so domains last summer to
> thousands now, but mostly small domains. I hope momentum will pick
> up once web.de and gmx.de go live.
Yes, I have noticed it is a big movement in germany. Have had a lot of
people asking for help on setting up dane the last few months from
there. But can't get any movement that is noticable here in the usa.
More information about the dane-users