Am 23. Mai 2018 07:54:41 MESZ schrieb Viktor Dukhovni via Exim-users <exim-users@???>:
>Yes, actually, the base specification is from late 2012,
just to clearify me a bit: DNSSEC (as a requirement for DANE spec.) is 20 years old now and as such it is far from "young" and - in practice - "widely outdated" by design, before it was and/or will be ever "really deployed".
It was one of the first tries to "gover" a spec down "from the top" (ICANN etc.) and without this pressure, nearly no one would use / provide it today - but until today only a part of the TLDs (registries and/or registrars) provide it and many others that and still have problems in run it properly, leading to disable DNSSEC in parts or completely even in large company networks.
If a german gov states DANE implicitely as a requirement for Email services (what is the case if the BSI gives such a statement) this leads to mich less, but large mass mail providers which are much easier "to handle" by the gov and his services then a classical Internet infrastructure service.
From a practical (i know the theory too) security view DANE "by" DNSSEC is much less useful then in theory and compared to other usual / even more modern technologies / standards (which are easier to deploy at any level, even required with DNSSEC and depend less from complex trust in many (not free to choose) parties.
I have no prob if someone decide to use DANE - i have a problem if a gov forces internet users / providers to deploy it (even implicitely as the BSI here) by law.
best regards,
Niels.
--
Niels Dettenbach
Syndicat IT & Internet
http://www.Syndicat.com
