On Sat, Aug 22, 2015 at 07:42:45AM -0700, Alice Wonder wrote:
> >If you don't create README files in your certificate directory,
> >add comments to Postfix configuration files, or otherwise create
> >reminders for yourself to not forget to do it right, perhaps DANE
> >is not right for you. "Deploy and forget" does not work for TLSA
> >records if you ever change your certificate or public key.
>
> I think if things like valid DANE entries that are fine on TCP port 443 are
> not valid if it is TCP Port 25 that the DANE RFC itself needs an update.
> That causes confusion and confusion hampers adoption.
1. draft-ietf-dane-ops *is* an update of RFC 6698.
2. draft-ietf-dane-smtp-with-dane *is* a "specialization" of
DANE for SMTP.
3. See also draft-ietf-dane-srv and RFC 7435.
It is best to hold off on posting gut instict reactions. Get
acquainted with the problem, think about the issues for some weeks
or months, come back later and share what you've learned.
--
Viktor.
