Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 June 2022 00:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 656CEC14CF1D for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 17:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wgJpeZhiYtU for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 17:05:42 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9173FC14CF18 for <uta@ietf.org>; Thu, 23 Jun 2022 17:05:42 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 96BF9FE3B0; Thu, 23 Jun 2022 20:05:40 -0400 (EDT)
Date: Thu, 23 Jun 2022 20:05:40 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <YrT/1McOW9RNt22G@straasha.imrryr.org>
Reply-To: uta@ietf.org
References: <YrTRbIMW2OatWZYO@straasha.imrryr.org> <20220623213332.B9E54442A79F@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20220623213332.B9E54442A79F@ary.qy>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QkWQcqsoCh876L_5mvB2bBlfPNA>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2022 00:05:47 -0000
On Thu, Jun 23, 2022 at 05:33:32PM -0400, John Levine wrote: > Kind of. I use the same key for all of the certs for the many names > that each of my mail servers have so I have one TLSA record and a lot > of CNAMEs. That's probably bad practice for some reason but whatever. Actually, I'd say that TLSA record CNAMEs are a fine practice. If the underlying servers in fact share the same key, then centralising the TLSA record management in one place reduces the odds that you'd forget to update one of them when the server key rolls over. Better a robust well managed shared key, than lots of keys poorly managed. Speaking of DANE deployment, today mijndomein.nl enabled inbound DANE for 184k customer domains, making them the #3 DANE SMTP hosting provider by MX-hosted domain count. The total number of DANE SMTP domains is now 3.53 million. Yes, Gmail and so MTA-STS probably has more users, but DANE has 2 to 3 orders of magnitude more domains. Looking at the top 15 MX hosting providers of DNSSEC-signed customer domains the numbers are: # domains hosting zone DNSSEC/DANE? --------- ------------ ------------ 2,322,925 google.com - 1,461,637 ovh.net - 1,249,420 one.com DANE 578,352 outlook.com - 279,564 hostpoint.ch DANE 194,551 googlemail.com - 185,512 mijndomein.nl DANE 172,483 infomaniak.ch DANE 167,874 argewebhosting.nl DANE 156,585 transip.email DANE 139,405 aftermarket.pl DNSSEC 115,664 hostnet.nl DANE 110,050 mailprotect.be - 107,427 domeneshop.no DANE 98,172 loopia.se DANE -- Viktor.
- [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt internet-drafts
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Martin Thomson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Stephen Farrell
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Mattsson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Thomas Fossati
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John R Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- [Uta] Multi-Server Deployments (was: Re: I-D Acti… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Martin Thomson
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni