Oh wow, thanks for the numbers. Where did you get those, btw? I guess, indeed, it’s not much of an issue until 2021 when outlook deploys DANE for inbound (at least so they claim), at which point a substantial volume of mail will hit this.
Of course but the time most users adopt code written today it’ll be 2021 at least (thanks Debian, Redhat, et al). Matt > On Jul 4, 2020, at 12:21, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Sat, Jul 04, 2020 at 02:34:15PM -0400, Matt Corallo wrote: > >> Thanks for the response, will see if it makes sense to at least disable >> MTA-STS for DANE-enabled domains at >> https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67. > > I don't think that's presently warranted. There are few enough MTA-STS > domains, and even fewer that also do DANE. > >>> Yes, but for now, with deployment of both rather thin, and the >>> intersection practically empty, it is OK to accept MTA-STS success even >>> if perhaps the DANE policy would have failed. >> >> Hmm, I'd think nearly every DANE-enabled domain would *also* enable >> MTA-STS. For example Protonmail has both enabled. > > But, that's simply not the case. There are ~1.93 million DANE domains. > Only ~2050 of the DANE domains also do MTA-STS. The only large cluster > of domains that do both is ~550 domains hosted by tutanota.de, these > account for ~27% of the domains that have both, the rest are isolated > instances. [ Among DANE domains hosted by tutanota.de, ~35% also have > MTS-STS. ] > >>> Yes, there is no mechanism to validate both, or to have existence of >>> TLSA records suppress the MTA-STS resolver policy. >> >> Right, so for now the only option is to have the MTA-STS resolver >> return "dane-only" if it thinks DANE is enabled on all >> the MXs and hope for the best. > > Or not worry about it, and make do with MTA-STS (when enabled) for now. > Both technologies are in the early adoption phase, and the majority of > domains are not protected at all, so either a step up from status quo. > The edge-cases can be hardened later. > >> Of course that hatred of DNSSEC is a cargo-cult hatred at this point >> given 1024-bit keys are long, long gone from the root and most TLDs at >> this point. Still, Outlook/MS should be the big example here - they >> have MTA-STS set to "testing" today, but presumably that will change, >> and have committed to DANE next year. > > My advice remains the same, don't *yet* worry about the cases where > DANE downgrades to MTA-STS. We'll deal with that later, let's first > get to broad adoption. > > -- > Viktor.
