On Fri, Nov 20, 2015 at 09:12:49PM -0500, Patrick Domack wrote:
I have been attempting to push more people to use dane, but it is hard.
More and more server admins keep asking to not send email to their domains without tls verification or certificate pinning, but none of them have heard of dane. Most don't even have dnssec even.
Thanks for helping get the message out. Yes, it is difficult to get initial momentum. Still, certificate pinning scales exceedingly poorly, so it is worth trying.
This is still fairly early in the adoption cycle. I need to get DANE TLS adopted into OpenSSL. Some initial code is awaiting internal team review... It will be important to see DANE support in more than Postfix and early adopter releases of Exim.
The folks publishing TLSA records need only DNSSEC and some operational discipline, no need (at the same time) to deploy an MTA that can verify such records. They may need better DNSSEC tools. IIRC Microsoft significantly enhanced DNSSEC support in recent releases of ActiveDirectory.
Adoption has grown from a hundred or so domains last summer to thousands now, but mostly small domains. I hope momentum will pick up once web.de and gmx.de go live.