The EFF folks behind this effort have reached out to me and we've
discussed some of the issues. I am somewhat ambivalent about this,
as it introduces a non-scalable registry that does fully address
the problem, and perhaps reduces incentives to do it right and
deploy DANE. On the other hand, DNSSEC adoption by large providers
is a non-trivial effort, and they cannot yet deploy DANE as quickly
as they may be able to sign up for the EFF registry. So I am not
sure whether this is a step forward or sideways.
I'm one of the implementers behind EFF's STARTTLS-Everywhere
project. I see it as an intermediate way to decouple deployment of
stronger SMTP from deployment of DNSSEC. This way, mail operators
can start enforcing good TLS policies today, so that once their
domains are signed, it will be easy and safe for them to start using
DANE to distribute those policies. If mail operators have to wait
until their entire domain is signed in order to begin trying strong
TLS policies, that significantly delays broad deployment.
I realize that DANE could be an incentive for operators to get their
domains DNSSEC signed, but I think that at some of the largest mail
providers, DNS is handled by an entirely different organization than
email. The email team may not have the ability to directly implement
DNSSEC themselves, but have to wait for another team to resolve the
relevant operational issues and deploy it. We'd like to give them
something positive to implement in the meantime that brings them a
step closer to the right solution.
Or, to look at it another way: Right now, email providers are
bragging about implementing STARTTLS. We'd like to continue that
virtuous cycle of seeing email security upgrades as important and
valuable, which will make future improvements even easier.
