Congratulations Viktor!
Thorough and insistent work. You've done a great job authoring these documents.
p@rick
* Viktor Dukhovni dane-users@sys4.de:
After a 2 and a half year process, the DANE SMTP and DANE OPS drafts are now published IETF RFCs:
https://tools.ietf.org/html/rfc7671
The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational GuidanceThis document clarifies and updates the DNS-Based Authentication of Named Entities (DANE) TLSA specification (RFC 6698), based on subsequent implementation experience. It also contains guidance for implementers, operators, and protocol developers who want to use DANE records.
https://tools.ietf.org/html/rfc7672
SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)
This memo describes a downgrade-resistant protocol for SMTP transport security between Message Transfer Agents (MTAs), based on the DNS- Based Authentication of Named Entities (DANE) TLSA DNS record. Adoption of this protocol enables an incremental transition of the Internet email backbone to one using encrypted and authenticated Transport Layer Security (TLS).
It is now time to shift my attention back to implementation in TLS libraries. The community can help by promoting adoption, and making sure that your deployment stays valid at all times. Please pay close attention to:
https://dane.sys4.de/common_mistakes#3 https://dane.sys4.de/common_mistakes#8 https://tools.ietf.org/html/rfc7671#section-8.1 https://tools.ietf.org/html/rfc7671#section-8.4 https://tools.ietf.org/html/rfc7672#section-3.1.1 https://tools.ietf.org/html/rfc7672#section-3.1.2 https://tools.ietf.org/html/rfc7672#section-3.1.3Just in case you overlooked something, please always retest your domain's TLSA records after deploying fresh certificates and/or private keys.
https://dane.sys4.de-- Viktor.