[Top] [All Lists]

Re: [ietf-smtp] DANE penetration for MTA/MTA interactions

2021-03-24 16:50:48
On Wed, Mar 24, 2021 at 02:30:05PM -0700, Dave Crocker wrote:

DANE was first published in 2012, in RFC 6698.

There were in 2012 no implementations and no specification for how it
interacts with MX records, opportunistic TLS, ...  So the earlier date
is not material.

Even at 2015 -- with RFC 7672, for email -- if operational use is 
miniscule, more than 5 years later, there is a problem.

I disagree.

It takes a decade or two for infrastructure technologies to make
major transitions.

In terms of admin and operations, DANE is quite similar to DKIM.  It did 
not take decades for DKIM adoption to become significant.

It isn't even tangentially similar, for many reasons:

    * DKIM is not intended to tackle active MiTM attacks
      and does not require DNSSEC signing of the server's

    * DKIM does not require a validating resolver on the
      sending client.

    * DKIM had a strong forcing function in the form of the
      major mailbox providers erecting barriers to non-DKIM

    * DANE interects with and overlaps X.509 certificate
      management, which with the advent of ACME (Let's Encrypt,
      ...) complicates the automation of TLSA record updates.
      I hope to release some tooling to reduce friction in the
      next couple of months...

In the USA, since the only major provider with DANE is Comcast users

Using your start date, that's 6 years later with only one major provider?

In the USA, correct.  Largely gated by the fact that the threat model is
on-path active attacks, which therefore requires data integrity in the
DNS signalling.  Hence DNSSEC, which is for the moment still not widely
used in the USA.  Changes are afoot, even Route-53 now offers DNSSEC
and there are strong signals of upcoming shifts at e.g. Godaddy (fingers

DANE/DNSSEC is much more akin to IPv6 in terms of adoption, and
comparisons to DKIM are not particularly apt.


ietf-smtp mailing list