[exim] DNSSEC+DANE vs MTA-STS was GnuTLS vs OpenSSL

Góra strony
Delete this message
Reply to this message
Autor: Sabahattin Gucukoglu
Data:  
Dla: Sabahattin Gucukoglu via Exim-users
Stare tematy: Re: [exim] GnuTLS vs OpenSSL
Temat: [exim] DNSSEC+DANE vs MTA-STS was GnuTLS vs OpenSSL
On 30 Sep 2021, at 23:55, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> The primary use-case for MTA-STS at present is gmail.com, otherwise
> it is basically unused. I am not a fan of propping up Google's walled
> garden, so generally discourage its adoption. Below is a response to
> the USG's call for public comment on an architecture that includes MTA-STS:
>
> https://www.isi.edu/~hardaker/news/2021-09-20-DANE-vs-STS.html


Thank you. I didn’t realise this was a live issue. I see that you’ve commented on this thread also, as regards UK government:
https://twitter.com/NCSC/status/1443217761791008769

Why does Google, and government, take an issue in an inferior technology? I know Google were once going on about DNS response sizes and the problems of middleboxes, but since they have DNSSEC resolvers and this only pertains to MTA-MTA transfers, this is a non-issue for end-user clients.

The frustrating thing is, many registrar authority hosted DNS services offer DNSSEC-signing on their authority servers, but no support for TLSA records in their web UIs. If only that gap could be closed, then the case against DANE would be substantially limited.

Cheers,
Sabahattin