Hi,
I know MTA-STS provides an alternative to DANE for SMTP and does not
require DNSSEC.
However when the zone is protected by DNSSEC there could be an improvement.
All the specification of mode and ttl in DNS - could be done in existing
TXT record or an additional TXT record.
This would allow discovery of MTA policy even if the web server was
unavailable due to DDoS or server mis-configuration.
The premise being the MX record can be trusted in DNSSEC signed zones if
the sending MTA uses a DNSSEC enforcing resolver (as many do, that's the
default for unbound)
The web server component should obviously still be required for a
receiving domain to be MTA-STS compliant because not all sending clients
have the ability to validate DNSSEC but it would add some robustness to
MTA clients that do, as well as saving them a https request if the
MTA-STS policy mode and ttl is specified in DNS.
I apologize if this suggestion has already been discussed and rejected.
My intent is not to rehash old discussions.
Alice Wonder
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
