Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Niels Dettenbach (Syndicat IT & Internet)
Date:  
To: exim-users, Viktor Dukhovni via Exim-users
CC: Viktor Dukhovni
Subject: Re: [exim] Exim & DANE .. status ?
Am 23. Mai 2018 07:54:41 MESZ schrieb Viktor Dukhovni via Exim-users <exim-users@???>:
>Yes, actually, the base specification is from late 2012,


just to clearify me a bit: DNSSEC (as a requirement for DANE spec.) is 20 years old now and as such it is far from "young" and - in practice - "widely outdated" by design, before it was and/or will be ever "really deployed".

It was one of the first tries to "gover" a spec down "from the top" (ICANN etc.) and without this pressure, nearly no one would use / provide it today - but until today only a part of the TLDs (registries and/or registrars) provide it and many others that and still have problems in run it properly, leading to disable DNSSEC in parts or completely even in large company networks.

If a german gov states DANE implicitely as a requirement for Email services (what is the case if the BSI gives such a statement) this leads to mich less, but large mass mail providers which are much easier "to handle" by the gov and his services then a classical Internet infrastructure service.

From a practical (i know the theory too) security view DANE "by" DNSSEC is much less useful then in theory and compared to other usual / even more modern technologies / standards (which are easier to deploy at any level, even required with DNSSEC and depend less from complex trust in many (not free to choose) parties.

I have no prob if someone decide to use DANE - i have a problem if a gov forces internet users / providers to deploy it (even implicitely as the BSI here) by law.


best regards,

Niels.
--
Niels Dettenbach
Syndicat IT & Internet
http://www.Syndicat.com