Re: DANE of SMTP Survey

[Jeroen Massar via NANOG <nanog () nanog org>]

> On 20210601, at 15:15, Moritz Müller via NANOG <nanog () nanog org> wrote:
>
> Hi,
>
> DANE for SMTP is not deployed on large scale. Together with researchers from Seoul National University, Virginia Tech 
> and the University of Twente, we would like to understand which challenges operators face when deploying DANE for 
> SMTP.

DNSSEC?

... ;)

No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as it feels 'fragile' for them.

Now, over the last few years this fragility has become less, especially with DNS servers already doing most of the work 
for you, but people still find it scary, as when DNS breaks (and "it is always DNS", unless it is the network full of 
packets eh, or broken routes, etc), then you lose all your eggs.

And replacing a DNS key can take a few moments, especially with caching of records etc.
Thus downtime is then ensured.


Combine that with many shops not having much DNS knowledge in the first place, they won't easily get their heads around 
that barrier.

Hosted offerings (where the shop has 24/7 people just for DNS) are then the only way to go, but then why have an 
Internet, we could just let everything be done by a single Monopoly and be done with it.


As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. 
But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet 
thing for too long.

Greets,
 Jeroen