On 8/22/22 17:38, nate wrote: > On 2022-08-22 14:30, Viktor Dukhovni wrote: > >> Correct, because there's no point. Mail would be sent whether the >> certificate is trusted or not, and whether or not the DNS-ID matches >> expectations. >> >> Setting up a TLS policy for each domain that's hosted by Microsoft is >> unrealistic, and they don't yet support DANE (but this is planned). > > ok thanks! > > I looked into DANE yesterday had never heard of it before that I can > recall anyway, and it appeared to need DNSSEC, which isn't something > I've had an interest to deploy. I read what appeared to be a really > good blog post on DNSSEC a few years ago that really ripped it apart > (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Can't > vouch for accuracy but the person seemed like they knew what they > were talking about. That was of course 7 years ago so maybe things > have changed since. > > nate
You should definitely deploy DNSSEC, but only after you are able to deploy it properly. That means having procedures to avoid nasty DNSSEC- related downtime. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
