
DNSSEC and DANE: No Traction Yet - tptacek
https://blog.fastmail.com/2016/12/20/dnssec-dane/
======
tptacek
Something you might not know if you don't follow DNSSEC: its primary use case
--- the one thing it does that other protocols don't currently do already ---
is SMTP TLS security to encrypt traffic between mail servers.

Mail servers, of course, use TLS to encrypt traffic between themselves, but
it's "opportunistic" and falls back on unencrypted SMTP (so any MITM can force
a downgrade).

The plan was for DNSSEC/DANE to be used as a way for Google to signal that it
would only speak TLS SMTP and to disallow the downgrade.

If this sounds like a pretty marginal use case for a protocol that forklifts
out a pretty significant chunk of Internet infrastructure, well, you're not in
the minority with that opinion. The major SMTP providers have all decided not
to wait for DNSSEC/DANE to work properly and instead to simply do an SMTP-
specific version of Strict Transport Security.

This leaves DNSSEC with, by my current count, zero serious motivating use
cases.

I'm biased, of course: I think DNSSEC is probably the worst protocol ever
proposed by the IETF.

[https://sockpuppet.org/blog/2015/01/15/against-
dnssec/](https://sockpuppet.org/blog/2015/01/15/against-dnssec/)

