On 30 Sep 2021, at 23:55, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> The primary use-case for MTA-STS at present is gmail.com, otherwise
> it is basically unused. I am not a fan of propping up Google's walled
> garden, so generally discourage its adoption. Below is a response to
> the USG's call for public comment on an architecture that includes MTA-STS:
>
> https://www.isi.edu/~hardaker/news/2021-09-20-DANE-vs-STS.html
Thank you. I didn’t realise this was a live issue. I see that you’ve commented on this thread also, as regards UK government:
https://twitter.com/NCSC/status/1443217761791008769
Why does Google, and government, take an issue in an inferior technology? I know Google were once going on about DNS response sizes and the problems of middleboxes, but since they have DNSSEC resolvers and this only pertains to MTA-MTA transfers, this is a non-issue for end-user clients.
The frustrating thing is, many registrar authority hosted DNS services offer DNSSEC-signing on their authority servers, but no support for TLSA records in their web UIs. If only that gap could be closed, then the case against DANE would be substantially limited.
Cheers,
Sabahattin
