Re: DANE statistics

Thu, 10 Dec 2015 13:05:09 -0800 

On Thu, 10 Dec 2015, Viktor Dukhovni wrote:


There are just ~30 domains with TLSA records that large enough for you
to have heard of them.  Here's a sample:


...


   bund.de



Sadly that's only the main domain. Each subsection has own servers, so 
bkg.bund.de does not support DANE ATM and that's the only bund.de I talk 
to.



   debian.org


Hmm, I use openSUSE. Maybe this prevents my Yeah effect...


Even posting to this list will not result in a "Yeah" :-(


I don't know whether cloud9.net hosting supports DNSSEC.  Posts to
this list are publically archived, so this is not a compelling use
case for stronger encryption.


But it would be nice sign :-)


Another question: In one of the postings some time back a TTL of 1 hour was
suggest for TLSA. Why that short? I agree than my 24 hours is a bit long for
switching, as a cert change takes then approx 3 days. But 6-12 hours should
be fine.


Whatever works for you, but people do make mistakes with their TLSA
records, and you might also some day.  Mail redelivery attempts
after many hours of downtime get infrequent or sometimes don't
happen at all.



Right. I made my errors with the HTTPS where it's not so serious ATM. From 
the beginning I was much more careful for the mail :-)



Lately, folks are enthusiastic about "Let's Encrypt", but don't
seem to think through about the integration with DANE on port 25.
We likely need appropriate guides for this use case both in a
Postfix DANE tutorial and from LE.



I don't understand that Let's Encrypt hype. I would welcome another free 
SSL offer, but compared to the other existing two I find Let's encrypt 
worse. 90 days is impossible to handle manual and I don't want automatics 
do an certificate change for me (especially together with the fun that 
means when TLSA records need to be updated as well).



P.S. Maybe some is interested. I'm currently improving the "tlsa" tool 
from hash-slinger (https://github.com/letoams/hash-slinger) to properly 
support STARTTLS and SNI. Some changes are still pending, but I'm positive 
they will get accepted. That makes generating and verifying TLSA data 
somewhat easier (and more automatic).


Ciao
--
http://www.dstoecker.eu/ (PGP key available)






















					Reply via email to