On Thu, May 21, 2020 at 11:31:32PM -0400, Rich Felker wrote:
For example 472 domains alias MX hosts to mail.kingsquare.nl.This would still work with the opposite priority order: TLSA for the domain named in the MX taking precedence, with fallback to TLSA for the fully-resolved CNAME if there is no TLSA record for the former and the full CNAME chain is authenticated.
That could have been a possibility, as indeed would requiring the domain owner to actively provision a CNAME from _25._tcp.<cname-owner> to _25._tcp.<cname-target>.
I optimized for two considerations:
1. Ease of deployment. If your MX host provider (possibly after CNAME resolution) has TLSA records, you're done.
2. Alignment of operational responsibility. Whoever is operating the MX host is best positioned to keep correct TLSA RRs in place.
This meant preferring the TLSA RRs as close as possible to the actual MX host domain. Now you have a corner case where the MX host is really in the origin domain, and only its IP address resolution is delegated.
I must admit this was not considered at the time, but that I am considering it, I am not especially fond of the idea of switching the order of precedence.
What I can say is that TLSA RRs after CNAME indirection are not terribly common, and we could (at the cost of not supporting DANE for a small fraction of users) drop the CNAME chasing, not because of the dyn.com situation, but simply because it is complex, and perhaps not worth the cost.
Can you point me to a description of what is on-topic here? Even if this is not the right forum to make change, it seems like a reasonable forum to gauge opinion on the topic from people actually using DANE with SMTP and determine if or how approaching it in another forum (IETF) might be appropriate.
This is a very quiet list, mostly just my monthly posts, but occasionally some operational topics. Not much standards discussion here. It'd probably be just you and me, and we could do that off-list.
I could be misjuding who's here of course...