
Support of Dane and DNSSEC in Office 365 Exchange Online - throw0101a
https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494
======
sybercecurity
DANE for STMP is supported in postfix as well. DANE is more popular in Europe
currently than the newly specified MTA-STS. Larger providers tend to prefer
MTA-STS because it does not mandate the use of DNSSEC.

~~~
ietf-dane
DNSSEC deployment is growing steadily:

    
    
      https://stats.dnssec-tools.org/images/totalds.svg
      https://stats.dnssec-tools.org/tld-graphs/com.png
      https://stats.dnssec-tools.org/tld-graphs/net.png
      https://stats.dnssec-tools.org/tld-graphs/org.png
      https://stats.dnssec-tools.org/tld-graphs/biz.png
      https://stats.dnssec-tools.org/tld-graphs/info.png
      https://stats.dnssec-tools.org/tld-graphs/us.png
    

The USA is #2 behind Germany by number of DANE-enabled MX host IPs:

    
    
      https://mail.sys4.de/pipermail/dane-users/2020-April/000553.html
    

The USA is not always the best practice to emulate. Microsoft's SMTP servers
host mail for at least 284k (today's count) signed domains. When they enable
inbound DANE, these (likely more by then) will be protected by DNSSEC and
DANE.

The rear-view mirror is not always the best guide to the road ahead.

~~~
tptacek
It looks like they're growing steadily, from those graphs, until you look at
the Y axis and realize it's been cropped to look like it's growing steadily.
In fact, in DNSSEC-signed zones in .COM have _gone down_ in some recent years.

In fact, DNSSEC is deployed in a tiny fraction of all .COM zones (something
close to 1%), virtually none of which are significant, as you can quickly
discover by feeding a list of top zones (the Moz 500 is easy to download)
through "host -t ds".

In reality, DNSSEC is moribund.

------
tptacek
Note that none of Microsoft's domains are even signed. What this announcement
really says is that Office 365 will at some point in the next 12 months stop
implementing Microsoft's policy of _actively impeding people_ from using
DNSSEC.

