[Top] [All Lists]

Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning)

2014-06-16 14:07:58

The next problem with DANE is that it requires users to have an updated
enough DNS server/client that provides tools for the new RR-Type, as
opposed to the "overload the TXT record" mechanism that has been popular in
the email world recently.  I know our code hasn't added support yet, though
it looks like its in recent BIND implementations. ...

BIND and NSD have supported TLSA since 2012, and any reasonably recent DNS
cache should handle TLSA since it doesn't have any special semantics.  The
problem is more likely to be the web crudware that people use to provision
their DNS zones.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>