On Fri, Nov 20, 2015 at 09:48:43PM -0500, Patrick Domack wrote:
Yes, I have noticed it is a big movement in germany. Have had a lot of people asking for help on setting up dane the last few months from there. But can't get any movement that is noticable here in the usa.
I think that what's needed is getting software support for DANE into OpenSSL, mTLS and GnuTLS, plus adoption by the SMTP major appliance vendors, Ironport, Proofpoint, ... and of course Microsoft Exchange. There's still some work to do.
Making it easier to update the DNS with the right records would also help, sadly there's no satisfactory and standard management interface with a decent access control model. So automating publication of TLSA records is difficult.
Perhaps we need a new protocol by which a TLS server can securely pre-publish the next certificate without activating it (say include it in a new TLS extension), thus allowing the DNS server operator to automate TLSA record updates by querying the SMTP server (authenticated via the current records).
If anyone has better ideas to automate coordination of DNS updates and key rotation, I'm all ears...