Comment by taink

4 months ago

I have no knowledge of DANE but its reliance on DNSSEC makes me worried that it would be difficult for people to adopt it.

Also, I think it solves a different problem: it prevents spoofing/MITM but what about legitimate certificates? We would still need CAs that actually curate their customers and hold them accountable. And we would need email servers/clients to differentiate between strict CAs and ones that are used solely for encryption purposes.

I don't know that DNS should be applied to emails as is anyway but I find it could force spammers to operate with publicly available information which would make holding them accountable easier.

2 comments

taink

account42 4 months ago

> I have no knowledge of DANE but its reliance on DNSSEC makes me worried that it would be difficult for people to adopt it.

It's not hard to set up DNSSEC as long as your DNS server software supports it and most people don't run their own authorative DNS servers anyway.

tptacek 4 months ago

Uh huh.
https://ianix.com/pub/dnssec-outages.html