On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote: > On Sun, 23 Feb 2014, Viktor Dukhovni wrote: > >If you want scalable security for SMTP, become an early adopter > >of DANE TLS, available in Postfix 2.11. Today, you'll be able > >to opportunistically authenticate the handful of DNSSEC signed > >domains that publish TLSA records for SMTP. Over time, I hope > >that handful will grow to a decent fraction of SMTP sites. > > Oh yes - DNSSEC. When will it come? In hundred years?
Dirk, do you mind explaining this? Are you having trouble finding DNSSEC-enabled DNS hosting? It's true that most of the numerous free DNS providers are not DNSSEC-enabled, but I found a few: http://www.frankb.us/dns/ Beware the services which do not support notify. When zones are signed and automatically maintained, new signatures are published as needed. With notify, slave NS hosts will pull the new data as soon as it is available. Self-hosting of DNS is not that difficult; in fact I think to set up and maintain a Postfix MTA is much more challenging than BIND named. But as with self-hosting mail, you get exposure to attacks and the need to watch for security issues and patches. I can suggest a cost effective way for SMBs with a moderately-capable GNU/Linux admin on board to get unlimited DNSSEC-signed zones for US$20/month: Linode.com. Run BIND named on your own VPS, then have Linode's nameservers slave it. There may be other VPS providers offering similar services, but I specifically mention Linode because I know they support both notify and DNSSEC. If you need enterprise-class hosting you are able and should be willing to pay for it. Linode is low-end to be called "enterprise", but I think they offer the geographic and network diversity that DNS needs. Of course there is no shortage of enterprise-class DNS hosting out there, priced accordingly. My own employer is in that line, so I'll avoid ethical questions by leaving off any specific mention of such services. > Sorry, probably this is not the right place to complain, but I hear > the same arguments for so many years now and there is no progress. > The algorithms get better and better, but no progress in adopting > useful methods to use them. And seeing the big-money certificate > system for SSL which gives trust away to some uncontrollable > companies and governments also does not help a lot (probably even > trying to prevent any wide adoption of DNS based certs, because > they will kill their model to earn money). Yep, I think DNSSEC and DANE will cheer you up quite well. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
