Microsoft is implementing DANE five years after we completed MTA-STS, and they're still not done. That's a fair bit of time. IIRC, they implemented MTA-STS before we were done with the draft. I applaud them for deploying DANE, but for the meantime, it seems beneficial to support both (which Comcast does, inbound and outbound). Perhaps some day the other large providers will adopt DANE, though I'd rather be using DANE/MTA-STS in as many places as we can.
-- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast > -----Original Message----- > From: mailop <mailop-boun...@mailop.org> On Behalf Of Tom Ivar Helbekkmo > via mailop > Sent: Friday, March 3, 2023 4:43 AM > To: John Levine via mailop <mailop@mailop.org> > Cc: John Levine <jo...@taugh.com> > Subject: [EXTERNAL] Re: [mailop] MTA-STS and DANE, Mail Sending Self-Test > Platform > > John Levine via mailop <mailop@mailop.org> writes: > > > I realize conspiracy theories are fun, but I actually talked to the > > people who designed MTA-STS at the time they were developing it. > > I guess I was a bit harsh, and also could have made it more clear that I'm > guessing at what could be the reason for such a move. However, calling my > guess a "conspiracy theory" is, I think, a bit over the top. > I'm not suggesting that any kind of conspiracy exists, merely that Google did > something for the most common reason any company does anything. I > shouldn't have suggested that they deliberately set out to fool people, > though. > As I pointed out, it says right in the RFC that MTA-STS is an inferior and > less > secure alternative to DANE. > > > Google people did the largest amount of work, and they told me that > > they didn't (and still don't) do DNSSEC because too much stuff other > > places would break. Their DNS infrastructure is quite able to handle > > DNSSEC, but they believed that it would be too long until DNSSEC and > > DANE would work reliably so MTA-STS was the kludge in the meantime. > > I don't get it. Surely, things would only "break" where people have tried to > implement these mechanisms, presumably in order to improve their security, > and done it wrong? Those installations are already broken, but their owners > are > unaware. If a big player like Google were to implement DANE support, they > would probably notice, and fix their mistakes. After all, DNSSEC and DANE > have > worked reliably for a very long time, but, like most other things, MTA-STS > included, they have to be correctly configured by those who are using them. > > > Clearly opinions can vary. Comcast's mail system is pretty big, and > > they do use DNSSEC and DANE. > > Also, Microsoft, the other big party in the MTA-STS design work, is in the > process > of implementing it. They already correctly verify DNSSEC and DANE when > sending email, and are working on the incoming support. > > Big players implementing these things is important, because it gives momentum > to the spreading of awareness and use elsewhere. Fundamental security > mechanisms like DNSSEC and RPKI ought to be ubiquitous. > > On a related note, I also wish the big browsers would check for DNSSEC and > DANE, show the user the result, and refuse to connect to a web site with one > or > more DNSSEC protected TLSA records, but none matching the presented > certificate. Meanwhile, I use the "DNSSEC/DANE Validator" > plugin in Firefox, configured to do exactly that. > > -tih > -- > Most people who graduate with CS degrees don't understand the significance of > Lisp. Lisp is the most important idea in computer science. --Alan Kay > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl3mc > HX2A!BIb83Jr6IUF-v2mnees0cZ- > YLOoqugegLfOliflqaA7hvTWQdqurAtISXCyeu5qJCUt91qbt85vnU4ihbpA$ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
