
Office 365 to support DANE and DNSSEC - amaccuish
https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494
======
cryptonector
This is truly momentous. This should be on the HN front page.

This will help get Google and others to follow suit.

With all the big players using DNSSEC and DANE, you can expect close to
universal deployment, and that will be a game changer for Internet security.

None of this would have happened without Viktor Dukhovni's incredible effort
these past several years. He built a survey of DANE usage so as to find
brokenness and get it fixed -- long-term brokenness would have caused the
protocol to get abandoned. Once the big players have DANE support, them and
everyone else will have huge incentive to monitor their own domains for
breakage, which will make breakage a rarity.

~~~
wglb
> With all the big players using DNSSEC and DANE

Which are the big players that are currently using these in real-world actual
deployments, as opposed to planned?

~~~
cryptonector
Even planned makes a difference. It sends a signal. And you know that various
European governments are pushing for this. It's a matter of time.

~~~
tptacek
It's been 25 years and deployment is stuck at 1%, with virtually none of the
major tech companies --- Microsoft included, since none of their zones are
signed --- in that set.

Microsoft cosponsored MTA-STS, the competing solution that doesn't use DNSSEC.

I think you're right: Microsoft is doing this because European customers are
demanding it. DNSSEC is moribund. It may be a quirky thing that companies in
Europe do, but it isn't going anywhere elsewhere.

~~~
ietf-dane
A few recent DANE deployments:

    
    
      * infomaniak.ch - Swiss hosting provider
      * triodos.com - Bank in Spain
      * startupstack.tech - California hosting company
      * elbiahosting.sk - Slovak hosting company
      * isu.net.sa - Saudi research centre
      * statens-it.dk - Multiple Denmark government domains
      * startmail․com - Email provider in Germany
      * webreus.nl - hosting provider in the Netherlands
      * mailfence.com - Email provider in Belgium
      * velocir.co.uk - UK hosting and email provider
    

In the last 90 days 108k new domains via 828 new providers, plus more domains
via existing providers, now 1.88 million domains total.

Microsoft has a titanic-sized infrastructure to turn around, so it won't
happen overnight, but they and more will deploy as time marches on, and in the
mean-time it is MTA-STS that's moribund...

~~~
tptacek
Well. As goes elbiahosting.sk, so goes the Internet.

~~~
ietf-dane
Yes, precisely, they and many, many others. The Internet I want to nurture is
the decentralized Internet that links millions of independent actors, rather
than the walled-garden Internet of 3 cloud platforms. I am of course pleased
to see also the big players supporting open technologies.

Here's a longer list of providers MX-hosting over 1k domains for customers
with DNSSEC and DANE:

    
    
      1033606 one.com
       136407 transip.nl
       100893 domeneshop.no
        88794 loopia.se
        72402 infomaniak.ch
        38424 active24.com
        30972 vevida.com
        30549 antagonist.nl
        27595 webreus.nl
        26928 web4u.cz
        26122 zxcs.nl
        25001 udmedia.de
        17389 bhosted.nl
        15135 flexfilter.nl
        13863 onebit.cz
         9925 protonmail.ch
         5798 netzone.ch
         5597 previder.nl
         5461 soverin.net
         5058 zonemx.eu
         4803 mailplatform.eu
         3406 ips.nl
         3072 interconnect.nl
         2568 provalue.nl
         2084 nederhost.nl
         1932 spamcluster.nl
         1836 mailbox.org
         1673 nmugroup.com
         1445 yourdomainprovider.net
         1348 mijnspamfilter.nl
         1326 hi7.de
         1297 tutanota.de
         1255 spamfilterserver.com
         1219 surfmailfilter.nl
         1151 prolocation.net
         1009 xcellerate.nl
    

It is more difficult to measure the scale of deployments by individual domains
with large numbers of users, as the numbers are not apparent in DNS, but these
include comcast.net, web.de, gmx.de, ...

The inertia to overcome is enormous, and the deployment time scale will be
comparable to IPv6, which is just starting to gain ground after 3 decades. No
need to tighten your seatbelt, it's a long ride, but adoption is growing and
even accelerating. It would be nice and not too surprising, to get from the
current ~2.5% (11 million signed domains out of ~400 million overall) to >5%
in the next few years.

~~~
tptacek
See, you go into this thinking maybe "elbiahosting.sk" is a fluke, but no,
"flexfilter.nl" and "tkservers.com" (whose home page redirects straight to a
Roundcube login) are right there with them. Mailplatform.eu is DNSSEC-signed?
Can Google Mail be far behind?

Essentially, you're going to be able to demonstrate that DNSSEC is widespread
in Europe. I concede that readily. I absolutely believe DNSSEC has a long
future as an idiosyncratic thing only European companies do.

~~~
ietf-dane
Well, there's also a significant rate of adoption in Brazil. US domains await
support from Godaddy et. al., with Godaddy recently announcing that DNSSEC
will be available as a standard offering, not just a premium option. Adoption
barriers still exist, but are falling.

I am not expecting miracles overnight, but I'm patiently playing the long
game, and not too worried about the past or the status quo.

~~~
tptacek
When it's like, a couple months, or even a year or so, sure, the past might
not have much to tell you. But it's been _twenty -five years_. Even if you
start at DNSSECbis, it's been almost 20 years since the typecode roll. At some
point, ignoring the past stops being such a prudent strategy.

~~~
cryptonector
I mean, x.509 is even older, and yet we still don't have a real PKI.

There's no reason to think that some technology being 25 years old means it's
dead if not used already.

We have to realistic paths to a true PKI, both based on DNS: a) DNSSEC, b) the
registries/registrars operate name-constrained (as least as anchors) CAs.
That's it.

The WebPKI offers little real security. Certificate transparency is just like
DNSSEC -- it needs big deployment to be a win, and it's especially needed
because we don't trust the CAs because there's so many because they are not
name constrained.

In DNSSEC the trust problem is still there, so CT could be applied to DNSSEC,
but if you use QName minimization then it's harder for the root zone and TLDs
to decide when to MITM you -- that's a really strong characteristic that PKIX
couldn't hope to have because it doesn't have a directory. (Stapling DNSSEC
chains in TLS would defeat this, but it is needed for last mile reasons, such
as hotel networks.)

~~~
tptacek
Nobody likes the WebPKI. But if you posted the private key for _any_ trusted
CA on Pastebin, it would be a very big deal. People around the world would get
paged, and many of them would actually have to come in to work.

Contrast that with DNSSEC. The root key for the entire Internet, the one they
have the secret Stonecutters ceremony to establish, could end up on Pastebin
tomorrow and nothing would happen. Nothing would happen the next day either.
Weeks could elapse and nothing would happen.

What's more, the comparison holds if you go back a year, 2 years, 10 years.
The WebPKI is old (though evolving, unlike DNSSEC, for which things like
transparency logs remain defensively evoked hypotheticals), but it has been
important throughout it's life.

Hell, the application of DNSSEC we're talking about here is _subsidiary to the
WebPKI_ \--- it's simply making sure that mail servers speak WebPKI-secured
TLS to each other!

------
tptacek
Previously.

[https://news.ycombinator.com/item?id=22805730](https://news.ycombinator.com/item?id=22805730)

