[Top] [All Lists]

Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning)

2014-06-16 14:26:54
On Mon, Jun 16, 2014 at 12:07 PM, John Levine <johnl(_at_)taugh(_dot_)com> 


The next problem with DANE is that it requires users to have an updated
enough DNS server/client that provides tools for the new RR-Type, as
opposed to the "overload the TXT record" mechanism that has been popular
the email world recently.  I know our code hasn't added support yet,
it looks like its in recent BIND implementations. ...

BIND and NSD have supported TLSA since 2012, and any reasonably recent DNS
cache should handle TLSA since it doesn't have any special semantics.  The
problem is more likely to be the web crudware that people use to provision
their DNS zones.

Right, and my desktop at work as well as most of my personal servers are
running the last Ubuntu LTS release (precise) from Spring 2012 and don't
have it.  Some things upgrade slowly.  I don't have any knowledge one way
or the other on how much of a burden it would be for the open source MTAs
and their admins, etc.

Probably less work than getting DNSSEC up, I guess.

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>