On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen rkampen@kampensonline.com wrote:
Sounds good, but how many domain MX servers have set up these fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it uses it if available. So even if you do post it on your DNS, how many clients out there are using DANE on their set up? By the time it becomes more than a tiny % and generally useful, it will be in CentOS 8. It also requires certificates to be implemented more ubiquitously than at present - although we do now have affordable solutions, so this one may resolve more quickly.
I hope my prior comments weren't too off topic but a lot of people don't seem to understand the purpose for an enterprise distribution.
DANE is a perfect example of this. Go poll the SMTP servers for any company on the S&P 500 and I can almost guarantee that 99.9% of them will not have TLSA records for DANE. It's a new/emerging technology. The same is true with DNSSEC (which is actually quite old).
Enterprises are typically behind in the technology they adopt. Stability and reliability are paramount. This is where RHEL and CentOS come in.
I know of a few companies listed on the S&P 500 who still have SSLv3 turned on to allow customers with old versions of Internet Explorer on Windows XP to connect. You can't simply assume everyone is using the latest technology.
This is the reason IBM loves System z.
Brandon Vincent