[Top] [All Lists]

Re: [ietf-smtp] DANE penetration for MTA/MTA interactions

2021-03-24 19:05:08
Hash: SHA1

In message <YFu+w7WTYlri2Clj(_at_)straasha(_dot_)imrryr(_dot_)org>, Viktor 
<ietf-dane(_at_)dukhovni(_dot_)org> writes

The only other game in town is MTA-STS, which
is a Rube Goldberg contraption with DNS text records, long-term policy
caches, HTTPS services and having to duplicate MX records outside of
DNS.  It isn't gaining broad traction beyond the large providers.

Indeed ... but it fixes the actual real world problem which the large
providers have -- which is that if, even for a short time, large
provider A delivers all the email to large provider B via some foreign
entity's servers then it will be front page news when it is noticed.
Mis-delivering email destined to some less important destination is bad,
but won't make it onto page 47 and that other place can join the gang
any time they decide to care.

Since DNSSEC is currently a non-starter for other parts of A and B's
business -- issues of fragility along with an assessment that it doesn't
solve any of the real problems they face, so the engineering is not
worth investing in -- then it is inherent that that DNSSEC cannot be
used as part of the solution which addresses the problems the mail teams
have to solve.

If standards conformant (cos the large providers really like that) DANE
had not mandated DNSSEC then maybe MTA-STS would not exist.

Because of slow DANE adoption, there was even exploration of doing
DANE without the requirement.  My impression is that it fizzled.

It never made sense.  Just do STARTTLS if unverified DNS is good
enough, so are unverified certificates.

There's a growing literature on why security standards are widely
adopted (and why so many fail) along with a pretty good understanding of
what levers are available ...  at one level TOFU doesn't make sense at
all .. but a great many of our systems depend on it and those who are
moving on to Zero Trust are discovering quite how expensive that can be
and its hard to find examples where there is a return on investment.

- -- 
richard                       writing to inform and not as company policy

"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

Version: PGPsdk version 1.7.1


ietf-smtp mailing list