On Mon, Apr 12, 2021 at 03:17:32PM -0700, Michael Thomas wrote: > > (1) may have been because of (2), and I believe (2) was because of > > internal technical and political issues. I.e., I would not consider it > > dispositive that Google seemed to like DANE then gave up on it, though > > that and why they did certainly is germane. > > Yes, that's what I would assume as well. Build it and they will come has a > sterling track record of failure in IETF. Building a technical spec is not enough, indeed. DANE hasn't succeeded yet, and neither has DNSSEC. But DANE is starting to gather steam (in no small part due to Viktor's efforts) in the realm of SMTP. The fact that DANE was early for its time doesn't mean that the single root and unyielding name constraints aren't appealing or appealing enough to make a more serious try now. As noted, the tooling for DNSSEC has been substantially improved in recent years. Implementations of DANE do exist now. There are a number of missing elements, such as a TLS extension to staple DANE that supports authenticated denial of existence. We're making progress though. It may seem slow, but there may be a preference cascade at some point. It may only take enough user-agent, and registrar / domain hosting services to provide this functionality to make it popular. Nico --