> On Oct 1, 2016, at 11:01 AM, li...@lazygranch.com wrote:
>
> On the latest "Security Now" podcast, Steve Gibson's makes noises about
> DNSSEC/DANE replacing certs, but not in detail.
I think that this thread, which was only tenuously connected to
Postfix in the first place, is no longer operationally relevant
and has likely outlived its welcome on this list. We should wind
it down.
By way of closing comments:
* DANE is reasonably practical for MTA-to-MTA SMTP, where it makes more
sense than WebPKI, provided DNSSEC adoption does not prove too high
a barrier to entry: https://tools.ietf.org/html/rfc7672#section-1.3
* DANE is not at this time practical for browser-to-webserver HTTPS.
A major obstacle is that many mobile "hotspots" are not compatible
with DNSSEC at this time. There is some work in progress to define
DANE-stapling, where the HTTPS server can return the relevant DNS
records to the HTTPS client via a new TLS extension. This will
take some time. Until then, don't expect much traction from DANE
in the HTTPS space.
* There may be some niche use of DANE in some other areas (XMPP,
and programmatic HTTPS in closed environments where access via
browsers or from remote locations is not a requirement), but
SMTP is where the action is for the moment and adoption is
starting to pick up steam.
Just today another major hosting provider added DANE TLSA
records for one out of their five MX hosts, I expect that their
other MX hosts will follow along soon...
In Oct/2015 at the M3AAWG meeting in Atlanta I reported 7000+
DANE domains 24 of which had been sighted in Google's email
transparency report (which reports only domains that cross
a mail volume lower bound). Today I would report 60,000+
domains, 75 of which have been sighted in Google's transparency
report. So I'm cautiously optimistic that DANE for SMTP still
has reasonable adoption momentum.
--
Viktor.
