On 24 Feb 2014, at 06:09 , Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote: > > Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His > mailserver has TLSA records. Enabling DNSSEC does not prevent you > from communicating with the rest of the world. Furthermore, you > can enable DNSSEC validation in your resolver before your own domain > is signed. The two are independent.
Wait, what? You can? Hmmm... Hover.com is still not supporting DNSSEC, but I can still validate my domains? That's not exactly what you said, is it? > It only takes a few minutes to configure a validating recursive > resolver. Install unbound and make sure it performs automatic > tracking of the root zone DNSKEY. unbound is better than bind for this sort of thing? (I noticed freeBSD 10 has switched from bind to unbound, I expect they have good reason). >> My Registrar said today: >> "Sorry, currently it is not possible to use DNSSec for domains >> registered here." > > Vote with your feet. I'm transferring my domains to a registrar > with better DNSSEC support (and incidentally lower price). Yes, well, in general registrars kind of suck, and hover doesn't suck. But yes, they need to get DNSSEC sorted. >> But if I understand it right even if I do all perfect and hope that >> more systems support that secure approach - I need to configure each >> system supporting this individually by hand without any automatic >> aid in my own system? > > No. DANE does not require per-destination configuration. That's the > point. DANE sounds nifty! >> And then I need to hope that users start to use that information, >> because all this work is completely useless until 100% deployed. My >> 100 years guess aren't so bad I think. Very unlikely, that this >> approach will work. > > No, DANE secures SMTP transport between publishing servers and > validating clients regardless of what everyone else is doing. The > adoption model is incremental. Ibid. -- Oh, he's just like any other man, only more so.
