On 10/7/19 9:46 AM, John Levine wrote:
And depending on DNSSEC probably does impair the ability of this to be
deployed. But if DoT can be used instead of DNSSEC, it seems to me
that this might be easier to deploy than MTA-STS.
But DoT and DNSSEC are unrelated. DNSSEC promises that the data you
got are the ones that the authoritative servers published, even though
someone might have snooped on the way. DoT promises that nobody
snooped and the data you got are the ones that the resolver, which may
be lying, sent.
Clearly you can't trust the resolver. But an answer to a DoT query to
an authoritative server seems like it would be sufficient, provided
there's assurance that the server really is authoritative.
ietf-smtp mailing list