<div dir="ltr"><div dir="ltr">On Mon, Mar 1, 2021 at 7:26 AM Jim Popovitch via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Over on the email side, I know of several instances in the past 5+ years<br>
where email providers have had to disable TLS and/or DANE/DNSSEC checks<br>
(i.e. postfix's smtp_tls_policy_maps) for .mil and .gov domains due<br>
mostly in part for poor key rollover management practives/monitoring.<br></blockquote><div><br></div><div>Disabling SMTP opportunistic TLS is a bit different since the standard fallback should be plain text SMTP anyway. I know our email people have a number of domains (mostly in the .gov space) where TLS is not opportunistic but enforced. The agencies that do that likely manage their SMTP certificates, however they are provided, more stringently.</div><div><br></div><div>It's unclear from your phrasing, though, if they disabled SMTP TLS for specific domains under .gov or .mil or for both entire gTLDs. The latter would seem like an overreaction and downgrading security where there was no identified operational need.</div><div><br></div><div>In either instance, it's not the same as a public service advertising a particular set of features to those who decide to consume it and then silently excluding large swaths of the Internet from one of those advertised security features. That's what I pointed out. If Quad9 updated the description of their service to accurately state the service they in fact provide, I wouldn't have an issue. I wouldn't have even asked about it publicly. Those who then chose to consume that service would have made an informed choice about the service they are consuming.</div><div><br></div><div>Scott </div></div></div>