On 11/07/2018 01:41 AM, Daniel Margolis wrote:
Sorry. Not a very constructive response. I think you have a very good point. I don't know if I would pursue it simply due to the additional complexity, however. In particular, it seems to only apply in the case where the MX is on a zone that can't/won't do DNSSEC but the mailbox domain does do DNSSEC (thus DANE doesn't work).
It may also be of benefit to zones that use DNSSEC but who want to automate Let's Encrypt certificate renewal. Automation of LE renewal is tricky when the private key changes so often because you have to have a new fingerprint in TLSA before it goes into service.
It's possible to script LE to not change the private key, but then you end up with a private key that isn't rotated as often as it should be.
So they may simply not want to publish the TLSA records that DANE requires even if they theoretically could. But MTA-STS would work fine with them, it doesn't break with automated cert renewal including fresh private key.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
