Deployment news (comcast.net publishes TLSA RRs)
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Nov 21 04:28:11 CET 2015
On Fri, Nov 20, 2015 at 09:48:43PM -0500, Patrick Domack wrote:
> Yes, I have noticed it is a big movement in germany. Have had a lot of
> people asking for help on setting up dane the last few months from there.
> But can't get any movement that is noticable here in the usa.
I think that what's needed is getting software support for DANE
into OpenSSL, mTLS and GnuTLS, plus adoption by the SMTP major
appliance vendors, Ironport, Proofpoint, ... and of course Microsoft
Exchange. There's still some work to do.
Making it easier to update the DNS with the right records would
also help, sadly there's no satisfactory and standard management
interface with a decent access control model. So automating
publication of TLSA records is difficult.
Perhaps we need a new protocol by which a TLS server can securely
pre-publish the next certificate without activating it (say include
it in a new TLS extension), thus allowing the DNS server operator
to automate TLSA record updates by querying the SMTP server
(authenticated via the current records).
If anyone has better ideas to automate coordination of DNS updates
and key rotation, I'm all ears...
--
Viktor.
More information about the dane-users
mailing list