Re: [dane] Digest Algorithm Agility discussion

Wes Hardaker <> Mon, 24 March 2014 16:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9FEDA1A0239 for <>; Mon, 24 Mar 2014 09:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.09
X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6QTTrICAyzHH for <>; Mon, 24 Mar 2014 09:02:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CDA8F1A01B9 for <>; Mon, 24 Mar 2014 09:02:49 -0700 (PDT)
Received: from localhost ( []) by (Postfix) with ESMTPSA id 052582E969; Mon, 24 Mar 2014 09:02:49 -0700 (PDT)
From: Wes Hardaker <>
To: Mark Andrews <>
References: <> <> <> <> <> <>
Date: Mon, 24 Mar 2014 09:02:48 -0700
In-Reply-To: <> (Mark Andrews's message of "Mon, 24 Mar 2014 05:57:18 +1100")
Message-ID: <>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [dane] Digest Algorithm Agility discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Mar 2014 16:02:51 -0000

Mark Andrews <> writes:

> If the site you want to email only has broken TLSA records, get
> them on the phone to fix the problem.

I agree with you, that's the ideal right solution!  However, the world
is a bit bigger than you can safely war-dial with a problem.  This has
been proven time and time again by the slow role out of every protocol
on the planet.  EG, apparently not enough phone calls have been made to
the recursive resolvers of every ISP that fail to turn on DNSSEC
validation.  It's simply not scalable to fall back to a phone call, or
even automated email.  If we could, indeed, convince the world to
upgrade quickly just by contacting them, we wouldn't have a BCP38
problems, spam problems, IPv4 address space problems, and insecure
algorithms in use problems.  But we very very much do.  Otherwise,
shouldn't we also call every SMTP service provider for every zone and
tell them to turn on TLS?  We haven't done that either (nor will

So, the alternative is to have a sliding roll-out that can support the
case where 50% of the world is in a new state and 50% is in the old
state.  Opportunistic turning-on of anything results in "when both
parties support it, it magically happens".  That includes both the
DANE/SMTP protocol itself, as well as the algorithm selection by
preferring a stronger one over a weaker one, but not stopping delivery
to the 50% of the world that hasn't switched yet.

The world has yet to succeed in a single flag day for any protocol.  Not

Wes Hardaker