ANN: Support of DANE and DNSSEC in Office 365 Exchange Online
All,
I'm extremely pleased to post that Microsoft has announced today they will support DANE https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494 and DNSSEC in Office 365 Exchange Online. Their first step will be to support outbound DANE by end of 2020 and they plan to add inbound support for DANE by end of 2021.
Please note that they will also implement support for TLSRPT https://tools.ietf.org/html/rfc8460, which is a good thing[tm] if you run strict TLS policies for your email platform.
Well done, Microsoft! It's great to see a big player step forward, adopt DANE and make email more secure.
p@rick
Patrick Ben Koetter p@sys4.de writes:
Their first step will be to support outbound DANE by end of 2020 and they plan to add inbound support for DANE by end of 2021.
I believe the very first step will have to be adding EDNS support: https://ednscomp.isc.org/ednscomp/298e5889d8
No DNSSEC without EDNS. And no DANE without DNSSEC.
Bjørn
On Tue, Apr 07, 2020 at 05:15:48PM +0200, Bjørn Mork wrote:
Their first step will be to support outbound DANE by end of 2020 and they plan to add inbound support for DANE by end of 2021.
I believe the very first step will have to be adding EDNS support: https://ednscomp.isc.org/ednscomp/298e5889d8
No DNSSEC without EDNS. And no DANE without DNSSEC.
Well, one can still do *outbound* DANE, without any support for DNSSEC or even EDNS for one's own domain, it suffices for the domains that are secured by DANE to have EDNS + DNSSEC + TLSA RRs for all their MX hosts.
That said, I'm pleased to see that the link you posted shows that only one of the four tested nameservers for protection.outlook.com does not support EDNS, the other three are solid evidence that they can soon get there.
That still leaves a different correctness problem that affects all the servers (there are at least three more nameservers IP addresses associated with the nameservers in question):
@104.47.15.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.67.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.68.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.69.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.72.81 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
The correct response is "NXDomain" not "NotImp":
@104.47.15.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.67.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.68.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.69.17 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.72.81 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
participants (3)
-
Bjørn Mork -
Patrick Ben Koetter -
Viktor Dukhovni