> On Feb 15, 2016, at 2:29 PM, John Levine <johnl@xxxxxxxxx> wrote: > > There are perfectly reasonable ways to do DANE-secured lookups of > mailbox keys. A simple one would be a per-domain SRV or URI record > that points at an RFC 4387 key server, with its certs secured by TLSA. > It's just as secure, just as DANE-ful, and has none of the semantics > and scaling problems of trying to shove mailbox keys into the DNS. > Its realistic security is better, since the mailbox names don't get > relayed through DNS caches of unknown snoopiness. Sadly Keith Moore's addrquery draft seems to have stalled: https://tools.ietf.org/html/draft-moore-email-addrquery-01 I agree that was a promising direction... Yes I quibbled over the details, but certainly not with the intention of blocking it, rather I wanted it to be more realistically deployable... -- Viktor.