[dns-operations] Quad9 DNSSEC Validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 19:01:55 UTC 2021


On Mon, Mar 01, 2021 at 06:21:28PM +0000, Paul Vixie wrote:

> > Over on the email side, I know of several instances in the past 5+ years
> > where email providers have had to disable TLS and/or DANE/DNSSEC checks
> > (i.e. postfix's smtp_tls_policy_maps) for .mil and .gov domains due
> > mostly in part for poor key rollover management practives/monitoring.
> 
> so, this is a game of "chicken" where the wrong people keep flinching.

Yes, true while both sites publishing DANE TLSA and sites verifying are
a small minority.  The hope is that as deployment ramps up we'll at some
point be able to hold the guilty party responsible.

Presently, I am working on tooling to simplify cert rollover for sites
with TLSA RRs, so that persistent/neglected denial-of-existence issues
aside (here's looking at you NameCheap), at least operator error with
cert updates should become even less frequent.

Microsoft is making outbound DANE validation available in cloud-hosted
Exchange, it'd be nice to see them also do it for the consumer
platforms, outlook.com and hotmail.com.  Once a few large enough
providers are willing to not blink first, the smaller players should
be able to also stand firm.

-- 
    Viktor.



More information about the dns-operations mailing list