On 1/7/25 4:31 AM, Taavi Eomäe wrote:
On 06/01/2025 19:58, Michael Thomas wrote:
This pretty much tells you everything you need to know about the
state of DNSSec [...]
I don't think the fact if Google has or has not deployed something
should be the deciding factor here.
It's just indicative that DNSSec is not widely deployed which 20 years
ago when the choice between using DNS and HTTPS was made was plausible
that it would.
Are you against DNS (and by extension its security mechanisms) being
used for DKIM in general? And not that you would find it valuable to
know if the public keys were fetched in a way that their
authenticity/integrity is known?
It was a mistake, yes. We didn't understand the overall costs at the
time and DNS seemed like a cheaper (computewise, etc) alternative to
setting up a https based key server. It turns out that the cost of DKIM
was pretty much nothing in comparison especially on the receiving end so
there was no good reason not to take the more secure route.
Mike
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org
