Comment by strcat
2 months ago
Our project account posted a thread about our recent migration of our mail server to using our ASN and IP space. They replied to the thread by attacking Postfix, DNSSEC and DANE. They promoted the insecure MTA-STS approach promoted by Google despite them not fully adopting it for Gmail similarly to how they don't even use an enforcing DMARC policy despite punishing others for not doing it. We explained Domain Validation depends on DNS security. We also explained MTS-STS isn't the same as browser WebPKI due to an insecure bootstrapping and refreshing system along with lack of mandatory Certificate Transparency. We talked about Google's anti-competitive practices when it comes to email. Here's the thread, read it for yourself:
https://x.com/Avamander/status/2025719336552284161
The fact is that if you use the org TLD then you trust whoever runs it to issue certificates for your website and the same for your domain registrar. There's no point in pretending otherwise. It's very clearly how the system works. WebPKI does not truly add value over a TLSA record and DNSSEC beyond Certificate Transparency which is reactive and is NOT part of MTA-STS. MTA-STS also doesn't have mandatory encryption but rather opportunistic and can be stopped from using it. Gmail, the service which MTA-STS was created to be used with, has 1 day max-age for it.
Gmail has a lot of quite blatant security weaknesses and phishing weaknesses. People largely repeat the mantra of it being secure because Google account login security is decent including an option to make it harder to hijack accounts via customer support missing elsewhere.
Not really interested in a debate about it where someone repeats talking points often visible here and gets angry with us for not agreeing including getting angry because people like our replies.
You take it too personally and if anyone is angry it's you. Listing shortcomings of a project is not "attacking", it's juvenile to think so. Shortcomings you refused to admit and your "explanations" were fundamentally misguided and incorrect. You eventually just resorted to FUD and blocking instead of actually looking at DNSSEC and DANE and the issues it has.
DNSSEC is a *bad* PKI, with infallible roots of trust, terrible adoption rate and horrible transparency. If someone misbehaves, you will have no idea, there will be no recourse and absolutely nobody is enforcing any standards on how things should be ran.
Bringing DMARC and phishing into this topic is a desperate grasp at straws if I have ever seen one.
DNSSEC defenders should actually know what they're talking about first.