On 08/22/2015 06:23 AM, Viktor Dukhovni wrote:
Until now, most DANE deployments have been on small hobbyist
machines, by people who mostly don't correspond with each other.
So if a particular domain's TLSA RRs were broken, nobody noticed.
This is about to change. The German email providers web.de and
gmx.de have announced upcoming DANE support (by the end of this
year). What this means for the hobbyist early adopters is that
forgetting/failing to do key/cert rollover correctly will soon
lead to lost mail. See:
https://dane.sys4.de/common_mistakes#3
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.1
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.4
If you don't create README files in your certificate directory,
add comments to Postfix configuration files, or otherwise create
reminders for yourself to not forget to do it right, perhaps DANE
is not right for you. "Deploy and forget" does not work for TLSA
records if you ever change your certificate or public key.
I think if things like valid DANE entries that are fine on TCP port 443
are not valid if it is TCP Port 25 that the DANE RFC itself needs an
update. That causes confusion and confusion hampers adoption.
