[Top] [All Lists]

Re: [ietf-smtp] DANE penetration for MTA/MTA interactions

2021-03-24 17:04:24
On 3/24/2021 2:50 PM, Viktor Dukhovni wrote:
On Wed, Mar 24, 2021 at 02:30:05PM -0700, Dave Crocker wrote:

DANE was first published in 2012, in RFC 6698.

There were in 2012 no implementations and no specification for how it
interacts with MX records, opportunistic TLS, ...  So the earlier date
is not material.

Even at 2015 -- with RFC 7672, for email -- if operational use is
miniscule, more than 5 years later, there is a problem.

I disagree.

It takes a decade or two for infrastructure technologies to make
major transitions.

In terms of admin and operations, DANE is quite similar to DKIM.  It did
not take decades for DKIM adoption to become significant.

It isn't even tangentially similar, for many reasons:

     * DKIM is not intended to tackle active MiTM attacks
       and does not require DNSSEC signing of the server's

The DNSSec requirement is the major barrier to adoption and it is imposed as an operational requirement, rather than a technical one. It is one line in the specification. Because of slow DANE adoption, there was even exploration of doing DANE without the requirement. My impression is that it fizzled.

     * DKIM does not require a validating resolver on the
       sending client.

The software querying for the key has to do validation. That's the same technical requirement for both mechanisms.

     * DKIM had a strong forcing function in the form of the
       major mailbox providers erecting barriers to non-DKIM

There's a lesson there.  I fear it's being missed.

     * DANE interects with and overlaps X.509 certificate
       management, which with the advent of ACME (Let's Encrypt,
       ...) complicates the automation of TLSA record updates.
       I hope to release some tooling to reduce friction in the
       next couple of months...

Indeed.  DANE is more complicated than DKIM.

DANE/DNSSEC is much more akin to IPv6 in terms of adoption, and
comparisons to DKIM are not particularly apt.

In terms of poor adoption history, that's correct. My original point, however, was in terms of end-to-end basic systems architecture. In that regard, DANE and DKIM are quite similar.


Dave Crocker
Brandenburg InternetWorking

ietf-smtp mailing list