On Thu, Jan 31, 2019 at 08:58:04PM -0800, Alice Wonder via Exim-users wrote:
> One thing I am hoping is that an update to the standard will be
> published that allows the mode (enforce or testing or none) to be
> published in the DNS record for MTA-STS.
>
> When the zone is DNSSEC signed, the MX record could then be trusted and
> there would be no need to query the https server.
When the zone is DNSSEC-signed it can use DANE if its MX hosts are
also in signed zones and have TLSA records. Even Google now has a
few signed MX hosts in the form of mx[1234].smtp.goog . These are
actually alternative names for the same underlying bunch of nodes
as the unsigned names you're used to. Once they add TLSA records,
they'll have support for inbound DANE.
So I don't see a compelling case for signed domains to go with
MTA-STS.
--
Viktor.