Am 07.11.2014 um 18:22 schrieb Michael Ströder:
Viktor Dukhovni wrote:
The rationale for the DANE work is in:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
I've already read/analyzed all DANE related RFCs and almost all drafts in
detail. Also some IETF presentation slides.
As already mentioned on the IETF DANE WG list:
The main obstacle is currently lack of DNSSEC deployments.
And personally I strongly dislike the DNSSEC auto-signing people usually
implement in their DNS servers
how else do you imagine to maintain 500, 1000, 10000 signed zones while
you also are enforced for repeatly key changes and if you make one
mistake in that context one or all zones are dead?
you can do that for your one personal domain by hand
but not for more - DNS is hierarchically and dnssec deployment don't end
at *your* nameserver, you have to coordinate that with the registry
responsible for the TLD of your domain
nobody, really nobody maintains server configurations and depedning
services, signing and so on by hand or at least he will stop to do so
after paying the first or second time the price which likely is your
existence as provider if you fuckup 1000 customer domains by a human
error due key-rollout - that's not something you can revert easily
within minutes
