On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> > >Oh yes - DNSSEC. When will it come? In hundred years?
> >
> >Available today. Two of my domains are signed, the third will be
> >shortly. And you're complaining about people being complacent and
> >stuck in the past.
>
> I don't want to have a perfection box which can't communicate with
> the rest of the world, but something which helps with todays
> internet.
Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
mailserver has TLSA records. Enabling DNSSEC does not prevent you
from communicating with the rest of the world. Furthermore, you
can enable DNSSEC validation in your resolver before your own domain
is signed. The two are independent.
> >If you want secure SMTP transport, direct your efforts at DNSSEC,
> >and then publish TLSA records for your domain.
>
> Oh, I'll try, but I doubt I will get this done in the next 2 years.
It only takes a few minutes to configure a validating recursive
resolver. Install unbound and make sure it performs automatic
tracking of the root zone DNSKEY.
> My Registrar said today:
> "Sorry, currently it is not possible to use DNSSec for domains
> registered here."
Vote with your feet. I'm transferring my domains to a registrar
with better DNSSEC support (and incidentally lower price).
> But if I understand it right even if I do all perfect and hope that
> more systems support that secure approach - I need to configure each
> system supporting this individually by hand without any automatic
> aid in my own system?
No. DANE does not require per-destination configuration. That's the
point.
> And then I need to hope that users start to use that information,
> because all this work is completely useless until 100% deployed. My
> 100 years guess aren't so bad I think. Very unlikely, that this
> approach will work.
No, DANE secures SMTP transport between publishing servers and
validating clients regardless of what everyone else is doing. The
adoption model is incremental.
--
Viktor.
