Re: [Shutup] [ietf-smtp] DNSSEC, was New Version Notification for draft-fenton-smtp-require-tls-00.txt

"John Levine" <> Tue, 12 January 2016 02:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0BCC21ACD17 for <>; Mon, 11 Jan 2016 18:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.863
X-Spam-Status: No, score=0.863 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hF7qKXzvqKlh for <>; Mon, 11 Jan 2016 18:01:08 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A1D2B1ACD1C for <>; Mon, 11 Jan 2016 18:01:05 -0800 (PST)
Received: (qmail 6194 invoked from network); 12 Jan 2016 02:01:04 -0000
Received: from unknown ( by with QMQP; 12 Jan 2016 02:01:04 -0000
Date: 12 Jan 2016 02:00:41 -0000
Message-ID: <20160112020041.49761.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] DNSSEC, was New Version Notification for draft-fenton-smtp-require-tls-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jan 2016 02:01:11 -0000

>Last time I checked, setting up DNSSEC is still a bit painful. Few  
>registrars, TMK, support DNSSEC directly. Maybe this has changed.

It's changed somewhat.  Some large registrars like Godaddy, Gandi, and
Tucows support it, some like NetSol don't.  I have about 300 zones on
my DNS server, all signed locally, but I've only been able to upload
the DS records for half of them.

For DANE, application software that supports TLSA and DNSSEC based TLS
verification is still pretty thin.  Versions of opsnssl with DANE
support only became available within the past month.

Having said all that, it's still far from clear to me that something
other than DANE would work any better, particularly considering how
cruddy the CA world is turning out to be.