On 02/15/2016 04:04 PM, Viktor Dukhovni wrote:
On Feb 15, 2016, at 2:29 PM, John Levine <johnl@xxxxxxxxx> wrote:
There are perfectly reasonable ways to do DANE-secured lookups of
mailbox keys. A simple one would be a per-domain SRV or URI record
that points at an RFC 4387 key server, with its certs secured by TLSA.
It's just as secure, just as DANE-ful, and has none of the semantics
and scaling problems of trying to shove mailbox keys into the DNS.
Its realistic security is better, since the mailbox names don't get
relayed through DNS caches of unknown snoopiness.
Sadly Keith Moore's addrquery draft seems to have stalled:
https://tools.ietf.org/html/draft-moore-email-addrquery-01
I agree that was a promising direction... Yes I quibbled over
the details, but certainly not with the intention of blocking it,
rather I wanted it to be more realistically deployable...
It's not dead. I'm still working on it and will try to get a revision
out this coming weekend.
Keith