Den 21.03.2016 18.47, skrev Viktor Dukhovni: > >> On Mar 21, 2016, at 12:18 PM, David Schweikert <da...@schweikert.ch> wrote: >> >> I wonder what the Postfix community thinks or plans to do according to >> this standard that is being written: >> https://datatracker.ietf.org/doc/draft-margolis-smtp-sts/?include_text=1 > > My take on the draft is that it is a hack to get the large email providers > doing SMTP TLS with authentication amongst themselves while they take multiple > years to ponder DNSSEC, which can be tricky to retrofit onto their complex > deployments. The draft still has warts to iron out, I'll help them with > those. > > I am not convinced this scales down at all well, but there will likely be > demand > for securing outbound email traffic sent to the large providers. I am not a > big > fan of code to support the centralized email storage model of the large > providers, > but that battle is lost for now.
Alex Stamos at Facebook has publicly & repeatedly stated that DNSSEC is "dead". I guess that means no RFC 7672 at Facebook. With him making that statement I already know others taking the same position. There seems to be a strong anti-dnssec crowd, complaining primarily on these issues: 1) Government access / possible interference with dnssec 2) Weak encryption (1024 bit keys) 3) Complexity of configuration & maintenance 4) "only 1 bit to tell you if things are ok or not" 5) DoS capabilities (ppl forget there are other & easier ways) Google public DNS supports DNSSEC, but afaik no other part of Google uses it. Although this proposal can live with or without DNSSEC, I am wondering if Google, Microsoft, Linkedin & other major companies has any plans to deploy DNSSEC and RFC7672. Or will this proposal be a shorter & easier step forward, eventually delaying or simply ignoring RFC7672 for the foreseeable future? Regards, Per
