DANE of SMTP Survey

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 20210601, at 15:15, Moritz Müller via NANOG <nanog at nanog.org> wrote:
> 
> Hi,
> 
> DANE for SMTP is not deployed on large scale. Together with researchers from Seoul National University, Virginia Tech and the University of Twente, we would like to understand which challenges operators face when deploying DANE for SMTP.

DNSSEC?

... ;)

No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as it feels 'fragile' for them.

Now, over the last few years this fragility has become less, especially with DNS servers already doing most of the work for you, but people still find it scary, as when DNS breaks (and "it is always DNS", unless it is the network full of packets eh, or broken routes, etc), then you lose all your eggs.

And replacing a DNS key can take a few moments, especially with caching of records etc.
Thus downtime is then ensured.


Combine that with many shops not having much DNS knowledge in the first place, they won't easily get their heads around that barrier.

Hosted offerings (where the shop has 24/7 people just for DNS) are then the only way to go, but then why have an Internet, we could just let everything be done by a single Monopoly and be done with it.


As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet thing for too long.

Greets,
 Jeroen

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]