I've been watching this thread with interest. Assume I have a domain with DNSSEC and inbound mail servers behind a (load-balanced) MX which support TLS.
If I've been following along correctly, if I publish a DNS record of the form: _25._tcp.*mx.mydomain.org <http://mx.mydomain.org>*. IN TLSA 3 1 1 *<sha2-256 digest of DER leaf public key in X.509 SPKI format>* this will make some (currently smallish?) set of mail servers sending to me have a better assurance they are really talking to me. Is this correct? And does "*leaf public key" *refer to the public key associated with the cert used for STARTTLS or ...something else...? Thanks, John -- John Hascall <j...@iastate.edu> Team Lead, Network Infrastructure, Authentication, & Directory Services IT Services, The Iowa State University of Science and Technology On Wed, Jan 7, 2015 at 1:12 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Wed, Jan 07, 2015 at 07:54:03PM +0100, Jean Bruenn wrote: > > > I am > > sure that I'll be able to find a registrar in germany with the > > same prices, a similar realtime API and dnssec support. > > Still I would not like to switch after 10+ years without any > > trouble, to another registrar - call me lazy if you want. > > You're lazy. :-) Take your time, no need to rush. > > > Currently I am testing and "playing around" with dnssec, > > dane and such stuff to learn more about it - I am not in pressure > > to implement it neither do I need it cuz' its cool or something. > > That's what I'm looking for, people who take the time to do it > right, rather than rush into it half-baked as a fashion statement. > > > Would be pretty interesting to see some country-statistic > > about dnssec usage. > > The SMTP DANE adoption by TLD breakdown is: > > 794 TOTAL > --------- > 231 de > 132 net > 96 com > 80 org > 29 eu > 25 ch > 21 nl > 21 cz > 12 me > 12 dk > 11 uk > 11 fr > 10 io > 9 se > 9 info > 9 be > 8 email > 6 at > 5 is > 4 us > ... > > And many of the .net/.com/.org/.eu domains are really German domains > "in disguise". So despite the registrar barriers, .DE is by far > the biggest early adopter. > > -- > Viktor. >
