DANE SMTP and OPS drafts now RFCs!
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Oct 15 05:53:10 CEST 2015
After a 2 and a half year process, the DANE SMTP and DANE OPS drafts
are now published IETF RFCs:
https://tools.ietf.org/html/rfc7671
-----------------------------------
The DNS-Based Authentication of Named Entities (DANE) Protocol:
Updates and Operational Guidance
This document clarifies and updates the DNS-Based Authentication of
Named Entities (DANE) TLSA specification (RFC 6698), based on
subsequent implementation experience. It also contains guidance for
implementers, operators, and protocol developers who want to use DANE
records.
https://tools.ietf.org/html/rfc7672
-----------------------------------
SMTP Security via Opportunistic DNS-Based Authentication of Named
Entities (DANE) Transport Layer Security (TLS)
This memo describes a downgrade-resistant protocol for SMTP transport
security between Message Transfer Agents (MTAs), based on the DNS-
Based Authentication of Named Entities (DANE) TLSA DNS record.
Adoption of this protocol enables an incremental transition of the
Internet email backbone to one using encrypted and authenticated
Transport Layer Security (TLS).
It is now time to shift my attention back to implementation in TLS
libraries. The community can help by promoting adoption, and making
sure that your deployment stays valid at all times. Please pay close
attention to:
https://dane.sys4.de/common_mistakes#3
https://dane.sys4.de/common_mistakes#8
https://tools.ietf.org/html/rfc7671#section-8.1
https://tools.ietf.org/html/rfc7671#section-8.4
https://tools.ietf.org/html/rfc7672#section-3.1.1
https://tools.ietf.org/html/rfc7672#section-3.1.2
https://tools.ietf.org/html/rfc7672#section-3.1.3
Just in case you overlooked something, please always retest your
domain's TLSA records after deploying fresh certificates and/or
private keys.
https://dane.sys4.de
--
Viktor.
More information about the dane-users
mailing list