> On 20210601, at 15:15, Moritz Müller via NANOG <nanog@nanog.org> wrote:
>
> Hi,
>
> DANE for SMTP is not deployed on large scale. Together with researchers from
> Seoul National University, Virginia Tech and the University of Twente, we
> would like to understand which challenges operators face when deploying DANE
> for SMTP.
DNSSEC?
... ;)
No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as
it feels 'fragile' for them.
Now, over the last few years this fragility has become less, especially with
DNS servers already doing most of the work for you, but people still find it
scary, as when DNS breaks (and "it is always DNS", unless it is the network
full of packets eh, or broken routes, etc), then you lose all your eggs.
And replacing a DNS key can take a few moments, especially with caching of
records etc.
Thus downtime is then ensured.
Combine that with many shops not having much DNS knowledge in the first place,
they won't easily get their heads around that barrier.
Hosted offerings (where the shop has 24/7 people just for DNS) are then the
only way to go, but then why have an Internet, we could just let everything be
done by a single Monopoly and be done with it.
As for solutions: better education, more improvements to the tools & making it
easier. CDS records already help a lot. But we might also need to improve
recovery mechanisms, as f-ups are made, and you don't want to be off this
Internet thing for too long.
Greets,
Jeroen
