On Sat, Jul 04, 2020 at 02:34:15PM -0400, Matt Corallo wrote:
> Thanks for the response, will see if it makes sense to at least disable
> MTA-STS for DANE-enabled domains at
> https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67.
I don't think that's presently warranted. There are few enough MTA-STS
domains, and even fewer that also do DANE.
> > Yes, but for now, with deployment of both rather thin, and the
> > intersection practically empty, it is OK to accept MTA-STS success even
> > if perhaps the DANE policy would have failed.
>
> Hmm, I'd think nearly every DANE-enabled domain would *also* enable
> MTA-STS. For example Protonmail has both enabled.
But, that's simply not the case. There are ~1.93 million DANE domains.
Only ~2050 of the DANE domains also do MTA-STS. The only large cluster
of domains that do both is ~550 domains hosted by tutanota.de, these
account for ~27% of the domains that have both, the rest are isolated
instances. [ Among DANE domains hosted by tutanota.de, ~35% also have
MTS-STS. ]
> > Yes, there is no mechanism to validate both, or to have existence of
> > TLSA records suppress the MTA-STS resolver policy.
>
> Right, so for now the only option is to have the MTA-STS resolver
> return "dane-only" if it thinks DANE is enabled on all
> the MXs and hope for the best.
Or not worry about it, and make do with MTA-STS (when enabled) for now.
Both technologies are in the early adoption phase, and the majority of
domains are not protected at all, so either a step up from status quo.
The edge-cases can be hardened later.
> Of course that hatred of DNSSEC is a cargo-cult hatred at this point
> given 1024-bit keys are long, long gone from the root and most TLDs at
> this point. Still, Outlook/MS should be the big example here - they
> have MTA-STS set to "testing" today, but presumably that will change,
> and have committed to DANE next year.
My advice remains the same, don't *yet* worry about the cases where
DANE downgrades to MTA-STS. We'll deal with that later, let's first
get to broad adoption.
--
Viktor.
