[exim] DNSSEC+DANE vs MTA-STS was GnuTLS vs OpenSSL

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Sabahattin Gucukoglu
Datum:  
To: Sabahattin Gucukoglu via Exim-users
Alte Treads: Re: [exim] GnuTLS vs OpenSSL
Betreff: [exim] DNSSEC+DANE vs MTA-STS was GnuTLS vs OpenSSL
On 30 Sep 2021, at 23:55, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> The primary use-case for MTA-STS at present is gmail.com, otherwise
> it is basically unused. I am not a fan of propping up Google's walled
> garden, so generally discourage its adoption. Below is a response to
> the USG's call for public comment on an architecture that includes MTA-STS:
>
> https://www.isi.edu/~hardaker/news/2021-09-20-DANE-vs-STS.html


Thank you. I didn’t realise this was a live issue. I see that you’ve commented on this thread also, as regards UK government:
https://twitter.com/NCSC/status/1443217761791008769

Why does Google, and government, take an issue in an inferior technology? I know Google were once going on about DNS response sizes and the problems of middleboxes, but since they have DNSSEC resolvers and this only pertains to MTA-MTA transfers, this is a non-issue for end-user clients.

The frustrating thing is, many registrar authority hosted DNS services offer DNSSEC-signing on their authority servers, but no support for TLSA records in their web UIs. If only that gap could be closed, then the case against DANE would be substantially limited.

Cheers,
Sabahattin