[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: DNSSEC, was Re: TLS client logging PATCH
From: Charles Marcus <CMarcus () Media-Brokers ! com>
Date: 2014-02-25 13:21:14
Message-ID: 530C98CA.5080606 () Media-Brokers ! com
[Download RAW message or body]
On 2/24/2014 3:52 PM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote:
>> On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
>>> If you want scalable security for SMTP, become an early adopter
>>> of DANE TLS, available in Postfix 2.11. Today, you'll be able
>>> to opportunistically authenticate the handful of DNSSEC signed
>>> domains that publish TLSA records for SMTP. Over time, I hope
>>> that handful will grow to a decent fraction of SMTP sites.
>> Oh yes - DNSSEC. When will it come? In hundred years?
> Dirk, do you mind explaining this? Are you having trouble finding
> DNSSEC-enabled DNS hosting?
Well, here is what mine (DNSMadeEasy) says on the subject:
> After seeing others in the Managed DNS space fail to properly maintain
> these processes for customers and the headaches (and nightmares) that
> come from not properly implementing these processes, we have been very
> careful in approaching this difficult task.
and
> DNS Made Easy is monitoring the DNSSEC RFCs and their progress on the
> standards track. We will not consider implementing DNSSEC until NSEC3
> becomes widely implemented as NSEC allows domain enumeration (which we
> are firmly against). The root (.) domain is not signed and will not be
> signed for some time (if ever). There are currently some very real
> issues with DNSSEC key authentication, distribution, management, and
> revocation. DNS Made Easy will continue to evaluate DNSSEC
> implementation as these issues with the RFCs are resolved.
>
> Until the issues with DNS sec are resolved we will not consider
> implementing it with our primary service. I don't see this happening
> for a few years.
Curious what others (especially Victor) think of this response. Why are
they 'firmly against' NSEC's 'enumeration of domains' feature, and the
comment about 'very real issues...'...
Anyone have any recommendations for decent DNS Service Providers that
don't cost an arm and another arm (DNSMadeEasy is really inexpensive,
and their service has been awesome for the 3+ years we've been using
them), and that are known to 'do DNSSEC' right?
--
Best regards,
Charles
[Attachment #3 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/24/2014 3:52 PM, /dev/rob0
<a class="moz-txt-link-rfc2396E" \
href="mailto:rob0@gmx.co.uk"><rob0@gmx.co.uk></a> wrote:<br> </div>
<blockquote cite="mid:20140224205238.GA2739@harrier.slackbuilds.org"
type="cite">
<pre wrap="">On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote:
</pre>
<blockquote type="cite" style="font-size: large; color: #000000;">
<pre wrap=""><span class="moz-txt-citetags"></span>On Sun, 23 Feb 2014, \
Viktor Dukhovni wrote: </pre>
<blockquote type="cite" style="font-size: large; color:
#000000;">
<pre wrap=""><span class="moz-txt-citetags"></span>If you want scalable \
security for SMTP, become an early adopter of DANE TLS, available in Postfix 2.11. \
Today, you'll be able to opportunistically authenticate the handful of DNSSEC signed
domains that publish TLSA records for SMTP. Over time, I hope
that handful will grow to a decent fraction of SMTP sites.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags"></span>Oh yes - DNSSEC. When will \
it come? In hundred years? </pre>
</blockquote>
<pre wrap="">Dirk, do you mind explaining this? Are you having trouble finding
DNSSEC-enabled DNS hosting?</pre>
</blockquote>
<br>
Well, here is what mine (DNSMadeEasy) says on the subject:<br>
<br>
<blockquote type="cite"><font size="2" face="Verdana, Arial,
Helvetica">After seeing others in the Managed DNS space fail to
properly maintain these processes for customers and the
headaches (and nightmares) that come from not properly
implementing these processes, we have been very careful in
approaching this difficult task. </font></blockquote>
<br>
and<br>
<br>
<blockquote type="cite"><font size="2" face="Verdana, Arial,
Helvetica">DNS Made Easy is monitoring the DNSSEC RFCs and their
progress on the standards track. We will not consider
implementing DNSSEC until NSEC3 becomes widely implemented as
NSEC allows domain enumeration (which we are firmly against).
The root (.) domain is not signed and will not be signed for
some time (if ever). There are currently some very real issues
with DNSSEC key authentication, distribution, management, and
revocation. DNS Made Easy will continue to evaluate DNSSEC
implementation as these issues with the RFCs are resolved.<br>
<br>
Until the issues with DNS sec are resolved we will not consider
implementing it with our primary service. I don't see this
happening for a few years. </font></blockquote>
<br>
Curious what others (especially Victor) think of this response. Why
are they 'firmly against' NSEC's 'enumeration of domains' feature,
and the comment about 'very real issues...'...<br>
<br>
Anyone have any recommendations for decent DNS Service Providers
that don't cost an arm and another arm (DNSMadeEasy is really
inexpensive, and their service has been awesome for the 3+ years
we've been using them), and that are known to 'do DNSSEC' right?<br>
<br>
<div class="moz-signature">-- <br>
<br>
Best regards,<br>
<br>
Charles<br>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic