Conversation
gmail\.com isn't even DNSSEC signed yet... (prerequisite for DANE.)
dnsviz.net/d/gmail.com/dn
To me it seems that Google really pushes "their" MTA-STS. However, it's not helping the decentralized internet as smaller mail setups can't really profit from MTA-STS (for their inbound).
3
1
3
Wow, and google\.com isn't either. Ick. I wonder if they have some massive infrastructure problem that prevents it or if this is more ideological (possibly with underlying commercial reason) opposition to DNSSEC...
1
I'm aware of the MTA-STS thing and yes it's largely useless. All it does it let sites opt in to webpki for mail server certs, which makes no sense because webpki isn't appropriate for them.
2
MTA-STS exists to avoid relying on DNSSEC. That's why it requires a policy file like mta-sts.grapheneos.org/.well-known/mt instead of just using DNS records. Domain Validated certificates don't even require DNSSEC verification when the domain has DNSSEC. The same thing applies to CAA.
1
I ended up setting up mail.grapheneos.org with certbot --reuse-key so I can pin the public key with DANE while still having automatically renewed Let's Encrypt certificates with MTA-STS. I don't really see an issue with using Web PKI for this. MUAs used it before MTA-STS.
I can do key rotations by hand without having to worry about the Let's Encrypt renewal schedule, so using Web PKI isn't a hassle. I have no reason to host a web server on the same domain so I don't have a reason to care that the certificates aren't specific to SMTP or HTTP.
1
If MTA-STS becomes broadly deployed/expected servers could drop support for bothering with it and instead mandate TLS with Web PKI verification. It's orthogonal to using DANE for pinning a specific key or certificate. There are benefits to having this in addition to DANE like CT.