> On Feb 3, 2019, at 11:28 PM, Alice Wonder via Exim-users <exim-users@???> wrote:
>
> Some don't want to have coordinate certificates with fingerprints in TLSA records,
> as more hosting providers provide DNSSEC just by default when you use their DNS as
> well, MTA-STS may be easier than new fingerprint from keypair every time generating
> new key.
The same providers that have DNSSEC on by default often also have DANE-enabled MX
hosts, e.g. most notably one.com, but also transip.nl, domeneshop.no, ...
The job of keeping TLSA records up to date falls on the MX host operator, not
on the domain operator, so for example, one.com has to manage only a couple of
dozen TLSA RRs (to cover their various MX clusters) and thereby enable DANE for
presently ~674k domains.
> And some distribution of Exim ship without DANE enabled at build-time. Fedora, for example. Not sure why.
>
> But I agree DANE for SMTP is better.
Well, we architect for a horizon somewhat beyond the present moment, so we
can wait a bit and see how this plays out.
--
Viktor.
