I have just updated the Postfix snapshot to support TLSA "2 0 1" and
"2 1 1", in the hope that appropriate operational guidelines will be
included in future specifications from the DANE WG.
Now that I have everyone's attention, perhaps a few more of the working
group leads can respond to the CNAME thread.
On Tue, Apr 16, 2013 at 08:16:48PM -0700, Jim Schaad wrote:
> I would consider the case of using one of the VeriSign roots certificates as
> the TA certificate to be widely pre-configured and therefore would not think
> that there is a big problem.
The default list of trusted CAs for Postfix is *empty*. Even the
various Verisign roots cannot all be expected to be available on
every SMTP client.
There's nothing magic about Verisign (aka Symantec), there are
plenty of CAs whose popularity varies from country to country and
budget to budget.
If some day, when DANE is more widely deployed, augustcellars.com
becomes a DNSSEC domain, and you publish TLSA "2 0 1" or "2 1 1"
RRs for your SMTP servers with the digest of a Verisign root not
present in your server chain, you'll find you have a bit more free
time to spend on things other than reading email. :-)
The ietf.org mail server runs Postfix, it will I hope be upgraded
to enable DANE support not too long after 2.11 is officially released
circa Jan 2014.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
