Am 25.09.18 um 17:34 schrieb Viktor Dukhovni: > > >> On Sep 25, 2018, at 9:29 AM, Paul Menzel <pmen...@molgen.mpg.de> wrote: >> >> We want to improve that. Unfortunately, DANE is not an option as the DFN >> does not support that, > > What do you mean by "DFN does not support that"? If by "DFN" you mean > "DFN-Verein", their certificates pose no compatibility issues with DANE. > For example:
Large parts of the german universities now use the DFN MailSupport (= inbound mailrelaying and filtering by DFN). The MX records are in mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). So you can have your own zone DNSSEC enabled, but not the one with the MX. I heard they are working on this. This is also a blocker of our project to have DANE-secured SMTP transport for all bavarian universities. Bernhard
