IETF Logo Mail Archive

Re: [ietf-smtp] How to encrypt SMTP?

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 28 October 2019 14:42 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15461208CD for <ietf-smtp@ietfa.amsl.com>; Mon, 28 Oct 2019 07:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-v1CfQgDl2Q for <ietf-smtp@ietfa.amsl.com>; Mon, 28 Oct 2019 07:42:13 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D740D1208ED for <ietf-smtp@ietf.org>; Mon, 28 Oct 2019 07:42:11 -0700 (PDT)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id E4B382C49DB for <ietf-smtp@ietf.org>; Mon, 28 Oct 2019 10:42:10 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <20191027150013.5715BD79FC5@ary.qy>
Date: Mon, 28 Oct 2019 10:42:07 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <75EFF280-482A-4CD8-AA68-96F37E6A38C6@dukhovni.org>
References: <20191027150013.5715BD79FC5@ary.qy>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/SeOqIFHXXC2CJwBltVaTfqLOQgk>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 14:42:20 -0000

> On Oct 27, 2019, at 11:00 AM, John Levine <johnl@taugh.com> wrote:
> 
>> Bottom line, sign-away, you'll not have any issues, unless your domain
>> is hosted by a small number of small (mostly Dutch) providers.
> 
> I agree that the DNSSEC problems have close to nothing to do with mail issues.
> But it's hard to sign the MX records for a domain without also signing the A
> and AAAA records.

Yes, signatures are zone-wide, but while mobile clients behind broken
middleboxes may not be able to take advantage of DNSSEC signatures,
they generally continue to function, with DNS security disabled.  Were
that not the case, ~10 million signed domains would have DNSSEC-related
problems serving web pages (which is not the case).  Top 20 slightly
dated website ranks of DNSSEC signed domains:

    50 mozilla.org
    75 nih.gov
    84 paypal.com
    91 europa.eu
   132 force.com
   181 stanford.edu
   194 quizlet.com
   210 cloudflare.com
   221 nasa.gov
   228 debian.org
   235 canva.com
   240 time.com
   246 cdc.gov
   251 taboola.com
   262 foxnews.com
   268 washingtonexaminer.com
   280 mediafire.com
   281 statcounter.com
   283 thestartmagazine.com
   304 berkeley.edu

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email