On Oct 27, 2019, at 2:24 AM, Keith Moore
I gather that the number of ways that middleboxes can screw up the DNS
is far greater than we can imagine. And getting people to fix it is not
easy since "the box works fine" and DNS works fine, too.
Ah yes, interesting point. And users do have strange ideas as to what
What's the half-life of a broken middlebox? I'm guessing about 10 years.
The middlebox breakage affects mobile users in hotels, airports, home
networks, ... It has little to no effect on MTAs in data-centres.
MTA-to-MTA DNSSEC does not face any meaningful middle-box barriers.
There are (today) ~1.35 million DNSSEC-signed domains with DNSSEC-signed MX
hosts that have DANE TLSA records.
The only issue is that some hosting providers with very old broken DNSSEC
authoritative servers don't return valid denial of existence for MX-host
TLSA records. This affects ~800 out of 10 million signed domains. None
are significant sources or sinks of email.
Bottom line, sign-away, you'll not have any issues, unless your domain
is hosted by a small number of small (mostly Dutch) providers.
ietf-smtp mailing list