Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Exim & DANE .. status ?


> On May 23, 2018, at 1:38 AM, Niels Dettenbach (Syndicat IT & Internet) <nd@???> wrote:
>
> DANE is very young?


Yes, actually, the base specification is from late 2012, but it
it had browsers in mind, even though it has since turned out to
be a much better fit for MTA-to-MTA SMTP. I started the Postfix
implementation and the specification for DANE for SMTP in the
spring of 2013, and the first Postfix DANE release is from January
2014. The RFC, however, took longer and was only published in
October of 2015. I then contributed an implementation of DANE to
OpenSSL which made its way into the official 1.1.0 release in Jan
2017.

RedHat systems and Debian 8 (wheezy still widely used) are still
on versions of Postfix that predate DANE support, even though
every upstream supported version of Postfix (3.0, 3.1, 3.2 and
3.3) and even one no longer supported version (2.11) implements
DANE.

It takes many years to roll out new *infrastructure* capabilities
internet-wide. This space moves much more slowly than end-user
applications. I still see MTAs running Exim 4.63 in the wild,
it is ~12 years old!

Just recently the MTAs supporting DANE have expanded beyond
Postfix and Exim, we now also have Halon and Mailchannels,
and Cisco ESA (formerly Ironport) will be beta-testing DANE
later in a few months time. It is early days yet.

We still better tools to integrate DANE TLSA record updates
with Let's Encrypt certificate rollover, more monitoring
tools, better tools to automate KSK rollover (more registrars
and registries supporting CDS records), ...

> And some of the largest mail ISPs doesnt have the "time" or
> "resources"?


This too takes time, active24.cz managed to do this in a month
or two, others are taking longer, but I expect to be able to
tell you about much broader adoption a year or so from now.

Rolling out backbone technology is much harder than getting
users to deploy some new app...

-- 
    Viktor.