On Mon, 15 Feb 2016, John Levine wrote:
You know, this is a self-inflicted wound. Had they asked people in
the e-mail community while designing this hack whether it is a good
idea to map mailbox names into the DNS, the unanimous response would
be that it never has worked in the past, and it's not going to work
any better now.
We did ask. Not only that, they attended one DANE meeting en masse.
There are perfectly reasonable ways to do DANE-secured lookups of
mailbox keys. A simple one would be a per-domain SRV or URI record
that points at an RFC 4387 key server, with its certs secured by TLSA.
It's just as secure, just as DANE-ful, and has none of the semantics
and scaling problems of trying to shove mailbox keys into the DNS.
Its realistic security is better, since the mailbox names don't get
relayed through DNS caches of unknown snoopiness.
Please look in the DANE archive as to why this solution was rejected
before.
The endless debate about upper/lower case, and the continuing failure
to address the much greater actual range of mailbox semantics problems
should tell us to back up and look for something that really works.
This exact statement was said 1 and 2 years ago. If the people that
think this is a problem are not moving, then I don't think this
document should be held hostage to that process. in other words, go
do your local-part to DNS mapping and come back and a write a bis
document.
Paul