[dane] FYI: DANE-related upcoming Postfix 3.2 changes
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 05 December 2016 02:59 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1401296C0 for <dane@ietfa.amsl.com>; Sun, 4 Dec 2016 18:59:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXf95ucQb_CD for <dane@ietfa.amsl.com>; Sun, 4 Dec 2016 18:59:34 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B446B1294FD for <dane@ietf.org>; Sun, 4 Dec 2016 18:59:34 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8AAEB284F7F; Mon, 5 Dec 2016 02:59:33 +0000 (UTC)
Date: Mon, 05 Dec 2016 02:59:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20161205025933.GT26244@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/R9YEwlFwOyy2TtntwpeXHNAmOc8>
Subject: [dane] FYI: DANE-related upcoming Postfix 3.2 changes
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 02:59:37 -0000
Now that RFCs 7671 and 7672 have been baked in for over a year, some of the early Postfix DANE features that predate the final specification are scheduled to be cleaned up for the upcoming Postfix 3.2 release (~January 2017). In particular: * RFC 7671 Digest algorithm agility will no longer be optional. This has been on by default with no observed issues. * Support for DANE-TA(2) records with matching types other than Full(0) will no longer be optional. These are widely used, and support has been on by default with no significant issues. * Support for PKIX-EE(1) TLSA records (by pretending they were really DANE-EE(3)) will be dropped. Out of the 3420 MX hosts in my survey, only "dougbarton.us" is using these, and there's no need to bend the spec to support one outlier. While I have your attention, the number of domains (I've been able to find) with TLSA records for all their MX hosts now exceeds 103000. There are now 93 domains that have appeared in Google's email transparency report at some point in time, and 44 of these appear in a single recent report: gmx.at jpberlin.de t-2.net conjur.com.br lrz.de xs4all.net registro.br mail.de overheid.nl gmx.ch posteo.de xs4all.nl open.ch ruhr-uni-bochum.de domeneshop.no anubisnetworks.com tum.de webcruitermail.no gmx.com uni-erlangen.de debian.org mail.com unitybox.de freebsd.org trashmail.com unitymedia.de gentoo.org xfinity.com web.de ietf.org bayern.de octopuce.fr netbsd.org bund.de comcast.net openssl.org fau.de dd24.net samba.org gmx.de gmx.net torproject.org ish.de hr-manager.net ( https://www.google.com/transparencyreport/saferemail/ ) The hosting providers with the top 5 counts of DANE SMTP domains are: 42140 domeneshop.no 32656 transip.nl 15097 udmedia.de 1758 bhosted.nl 1273 nederhost.net I believe this list will grow in the near future, and as a result we'll see a substantial increase the total number of domains. -- Viktor.
- [dane] FYI: DANE-related upcoming Postfix 3.2 cha… Viktor Dukhovni