On 08/22/2015 07:42 AM, Alice Wonder wrote:
On 08/22/2015 06:23 AM, Viktor Dukhovni wrote:Until now, most DANE deployments have been on small hobbyist machines, by people who mostly don't correspond with each other. So if a particular domain's TLSA RRs were broken, nobody noticed. This is about to change. The German email providers web.de and gmx.de have announced upcoming DANE support (by the end of this year). What this means for the hobbyist early adopters is that forgetting/failing to do key/cert rollover correctly will soon lead to lost mail. See: https://dane.sys4.de/common_mistakes#3 https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.1 https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.4 If you don't create README files in your certificate directory, add comments to Postfix configuration files, or otherwise create reminders for yourself to not forget to do it right, perhaps DANE is not right for you. "Deploy and forget" does not work for TLSA records if you ever change your certificate or public key.I think if things like valid DANE entries that are fine on TCP port 443 are not valid if it is TCP Port 25 that the DANE RFC itself needs an update. That causes confusion and confusion hampers adoption.
I realize this isn't the DANE list but maybe what DANE needs to do is simply drop certificate authority specific support, and just be hostname validation.
Clients (like web browsers) that want additional validation can continue to do that the way they currently do.
That would make DANE simpler.
