On Wed, Mar 24, 2021 at 02:30:05PM -0700, Dave Crocker wrote:
DANE was first published in 2012, in RFC 6698.
There were in 2012 no implementations and no specification for how it
interacts with MX records, opportunistic TLS, ... So the earlier date
is not material.
Even at 2015 -- with RFC 7672, for email -- if operational use is
miniscule, more than 5 years later, there is a problem.
I disagree.
It takes a decade or two for infrastructure technologies to make
major transitions.
In terms of admin and operations, DANE is quite similar to DKIM. It did
not take decades for DKIM adoption to become significant.
It isn't even tangentially similar, for many reasons:
* DKIM is not intended to tackle active MiTM attacks
and does not require DNSSEC signing of the server's
zone.
* DKIM does not require a validating resolver on the
sending client.
* DKIM had a strong forcing function in the form of the
major mailbox providers erecting barriers to non-DKIM
mail.
* DANE interects with and overlaps X.509 certificate
management, which with the advent of ACME (Let's Encrypt,
...) complicates the automation of TLSA record updates.
I hope to release some tooling to reduce friction in the
next couple of months...
In the USA, since the only major provider with DANE is Comcast users
Using your start date, that's 6 years later with only one major provider?
In the USA, correct. Largely gated by the fact that the threat model is
on-path active attacks, which therefore requires data integrity in the
DNS signalling. Hence DNSSEC, which is for the moment still not widely
used in the USA. Changes are afoot, even Route-53 now offers DNSSEC
and there are strong signals of upcoming shifts at e.g. Godaddy (fingers
crossed).
DANE/DNSSEC is much more akin to IPv6 in terms of adoption, and
comparisons to DKIM are not particularly apt.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp