On Tue, Apr 07, 2020 at 05:15:48PM +0200, Bjørn Mork wrote:
Their first step will be to support outbound DANE by end of 2020 and they plan to add inbound support for DANE by end of 2021.
I believe the very first step will have to be adding EDNS support: https://ednscomp.isc.org/ednscomp/298e5889d8
No DNSSEC without EDNS. And no DANE without DNSSEC.
Well, one can still do *outbound* DANE, without any support for DNSSEC or even EDNS for one's own domain, it suffices for the domains that are secured by DANE to have EDNS + DNSSEC + TLSA RRs for all their MX hosts.
That said, I'm pleased to see that the link you posted shows that only one of the four tested nameservers for protection.outlook.com does not support EDNS, the other three are solid evidence that they can soon get there.
That still leaves a different correctness problem that affects all the servers (there are at least three more nameservers IP addresses associated with the nameservers in question):
@104.47.15.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.67.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.68.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.69.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.72.81 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
The correct response is "NXDomain" not "NotImp":
@104.47.15.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.67.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.68.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.69.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.72.81 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain