Deployment news ( publishes TLSA RRs)

Patrick Domack patrickdk at
Sat Nov 21 03:48:43 CET 2015

Quoting Viktor Dukhovni <ietf-dane at>:

> On Fri, Nov 20, 2015 at 09:12:49PM -0500, Patrick Domack wrote:
>> I have been attempting to push more people to use dane, but it is hard.
>> More and more server admins keep asking to not send email to their domains
>> without tls verification or certificate pinning, but none of them have heard
>> of dane. Most don't even have dnssec even.
> Thanks for helping get the message out.  Yes, it is difficult to
> get initial momentum.  Still, certificate pinning scales exceedingly
> poorly, so it is worth trying.
> This is still fairly early in the adoption cycle.  I need to get
> DANE TLS adopted into OpenSSL.  Some initial code is awaiting
> internal team review...  It will be important to see DANE support
> in more than Postfix and early adopter releases of Exim.
> The folks publishing TLSA records need only DNSSEC and some
> operational discipline, no need (at the same time) to deploy an
> MTA that can verify such records.  They may need better DNSSEC
> tools.  IIRC Microsoft significantly enhanced DNSSEC support in
> recent releases of ActiveDirectory.
> Adoption has grown from a hundred or so domains last summer to
> thousands now, but mostly small domains.  I hope momentum will pick
> up once and go live.

Yes, I have noticed it is a big movement in germany. Have had a lot of  
people asking for help on setting up dane the last few months from  
there. But can't get any movement that is noticable here in the usa.

More information about the dane-users mailing list