�On Oct 27, 2019, at 11:00 AM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
Bottom line, sign-away, you'll not have any issues, unless your domain
is hosted by a small number of small (mostly Dutch) providers.
I agree that the DNSSEC problems have close to nothing to do with mail issues.
But it's hard to sign the MX records for a domain without also signing the A
and AAAA records.
Yes, signatures are zone-wide, but while mobile clients behind broken
middleboxes may not be able to take advantage of DNSSEC signatures,
they generally continue to function, with DNS security disabled. Were
that not the case, ~10 million signed domains would have DNSSEC-related
problems serving web pages (which is not the case). Top 20 slightly
dated website ranks of DNSSEC signed domains:
50 mozilla.org
75 nih.gov
84 paypal.com
91 europa.eu
132 force.com
181 stanford.edu
194 quizlet.com
210 cloudflare.com
221 nasa.gov
228 debian.org
235 canva.com
240 time.com
246 cdc.gov
251 taboola.com
262 foxnews.com
268 washingtonexaminer.com
280 mediafire.com
281 statcounter.com
283 thestartmagazine.com
304 berkeley.edu
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp