IETF Logo Mail Archive

[dane] FYI: DANE-related upcoming Postfix 3.2 changes

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 05 December 2016 02:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1401296C0 for <dane@ietfa.amsl.com>; Sun, 4 Dec 2016 18:59:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXf95ucQb_CD for <dane@ietfa.amsl.com>; Sun, 4 Dec 2016 18:59:34 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B446B1294FD for <dane@ietf.org>; Sun, 4 Dec 2016 18:59:34 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8AAEB284F7F; Mon, 5 Dec 2016 02:59:33 +0000 (UTC)
Date: Mon, 05 Dec 2016 02:59:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20161205025933.GT26244@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/R9YEwlFwOyy2TtntwpeXHNAmOc8>
Subject: [dane] FYI: DANE-related upcoming Postfix 3.2 changes
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 02:59:37 -0000

Now that RFCs 7671 and 7672 have been baked in for over a year,
some of the early Postfix DANE features that predate the final
specification are scheduled to be cleaned up for the upcoming
Postfix 3.2 release (~January 2017).

In particular:

    * RFC 7671 Digest algorithm agility will no longer be optional.
      This has been on by default with no observed issues.

    * Support for DANE-TA(2) records with matching types other than
      Full(0) will no longer be optional.  These are widely used,
      and support has been on by default with no significant issues.

    * Support for PKIX-EE(1) TLSA records (by pretending they
      were really DANE-EE(3)) will be dropped.  Out of the 3420 MX
      hosts in my survey, only "dougbarton.us" is using these, and
      there's no need to bend the spec to support one outlier.

While I have your attention, the number of domains (I've been able
to find) with TLSA records for all their MX hosts now exceeds
103000.  There are now 93 domains that have appeared in Google's
email transparency report at some point in time, and 44 of these
appear in a single recent report:

    gmx.at                  jpberlin.de             t-2.net
    conjur.com.br           lrz.de                  xs4all.net
    registro.br             mail.de                 overheid.nl
    gmx.ch                  posteo.de               xs4all.nl
    open.ch                 ruhr-uni-bochum.de      domeneshop.no
    anubisnetworks.com      tum.de                  webcruitermail.no
    gmx.com                 uni-erlangen.de         debian.org
    mail.com                unitybox.de             freebsd.org
    trashmail.com           unitymedia.de           gentoo.org
    xfinity.com             web.de                  ietf.org
    bayern.de               octopuce.fr             netbsd.org
    bund.de                 comcast.net             openssl.org
    fau.de                  dd24.net                samba.org
    gmx.de                  gmx.net                 torproject.org
    ish.de                  hr-manager.net

    ( https://www.google.com/transparencyreport/saferemail/ )

The hosting providers with the top 5 counts of DANE SMTP domains
are:

    42140 domeneshop.no
    32656 transip.nl
    15097 udmedia.de
     1758 bhosted.nl
     1273 nederhost.net

I believe this list will grow in the near future, and as a result
we'll see a substantial increase the total number of domains.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email