Am 07.11.2014 um 18:22 schrieb Michael Ströder:
Viktor Dukhovni wrote:
The rationale for the DANE work is in:

     http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3

I've already read/analyzed all DANE related RFCs and almost all drafts in
detail. Also some IETF presentation slides.

As already mentioned on the IETF DANE WG list:
The main obstacle is currently lack of DNSSEC deployments.

And personally I strongly dislike the DNSSEC auto-signing people usually
implement in their DNS servers

how else do you imagine to maintain 500, 1000, 10000 signed zones while you also are enforced for repeatly key changes and if you make one mistake in that context one or all zones are dead?

you can do that for your one personal domain by hand

but not for more - DNS is hierarchically and dnssec deployment don't end at *your* nameserver, you have to coordinate that with the registry responsible for the TLD of your domain

nobody, really nobody maintains server configurations and depedning services, signing and so on by hand or at least he will stop to do so after paying the first or second time the price which likely is your existence as provider if you fuckup 1000 customer domains by a human error due key-rollout - that's not something you can revert easily within minutes

Reply via email to