On Mon, Aug 22, 2022 at 02:38:20PM -0700, nate wrote: > On 2022-08-22 14:30, Viktor Dukhovni wrote: > > > Correct, because there's no point. Mail would be sent whether the > > certificate is trusted or not, and whether or not the DNS-ID matches > > expectations. > > > > Setting up a TLS policy for each domain that's hosted by Microsoft is > > unrealistic, and they don't yet support DANE (but this is planned). > > ok thanks! > > I looked into DANE yesterday had never heard of it before that I can > recall anyway, and it appeared to need DNSSEC, which isn't something > I've had an interest to deploy.
You don't need to sign your own domain in order to secure outbound traffic to domains that others have signed. You just need a local validating resolver such as "unbound", with DNSSEC validation turned on. You need a local resolver anyway, just to use most RBLs, so turning on validation is a simple change. > I read what appeared to be a really > good blog post on DNSSEC a few years ago that really ripped it apart > (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Don't believe everything you read. > Can't vouch for accuracy but the person seemed like they knew what > they were talking about. That was of course 7 years ago so maybe > things have changed since. My take is that the person in question likes being a cult leader, dispensing wisdom to adherents, who then, along with the leader, get to feel superior to the uninitiated masses. The tooling around DNSSEC has significantly improved recently, making hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and later. Or you can get your domain professionally operated by Google, one.com, OVH, ... who operate millions of signed domains with no issues. In any case, outbound DANE does not require anything non-trivial on your end. -- Viktor.
