Just want simple TLS for your .internal network?

“Customarily” must not necessarily mean “major email domains”. As I understand it, DANE is commonly used by organizations wanting to secure e-mail between them; DANE enforcement is agreed by both parties, and then used without issue.

Didn't they invent MTA-STS so they could not use DANE? They use MTA-STS.

I know that is what MTA-STS is for, but haven’t heard from people actually using it. I have, however, heard from people using DANE in the way i described.

(For those who don’t know, MTA-STS is basically DANE but for people who hate DNSSEC. And are OK with requiring every mail server to also have a web server running.)

Respectfully, what are you talking about? The four largest email providers in the world all run STS. You can test for yourself: just do `dig +short txt _mta_sts.DOMAIN`. I stopped looking after I saw that even Yahoo Mail does it.

I’m talking about hearing from actual people running their own e-mail infrastructure, or who are at least working closely with some local party to run it for them. What the humongous e-mail providers do is largely irrelevant for the purposes of what people in general should do with their own systems; what large providers do is rarely in the interests of anyone else but themselves.

(Also, your test is wrong. It should be “_mta-sts”, not “_mta_sts”.)

What an odd definition of "using it". It only counts if just a couple random people set it up, but not if hundreds of millions of people rely on it.

You frequently argue that DNSSEC usage only counts when it’s added to domains by the domain owners, not when it is added by DNS server operators (who are frequently also the registrars). Why then should MTA-STS usage count if it’s done by the few huge centralized e-mail providers?

When it’s purposefully set up by actual people, I only hear about DANE. It’s only when talking about huge e-mail providers that I hear about MTA-STS. And, as I said previously, those huge providers probably chose MTA-STS not for any reason which benefits their regular users, but for reasons which benefits only themselves, being a huge operator.

No! These aren't comparable problems. MTA-STS is designed to defeat SSL-stripping. It works whether specific users know about it or not. That is not the case for DNSSEC. This is why MTA-STS is overwhelmingly deployed across email users, and DNSSEC has less than 5% deployment (and falling). Thanks for the opportunity to clarify.

If you're wondering why DNSSEC never took off, these kinds of exchanges are illustrative!

> It works whether specific users know about it or not. That is not the case for DNSSEC.

I am baffled by this claim. DNSSEC works completely transparently to the user.

Also, we were comparing the specifics of MTA-STS to DANE, not to DNSSEC. Both MTA-STS and DANE solves the same problem, i.e. fake X.509 certificates and/or protocol degradation (SSL stripping). DANE has the potential to solve the same problem for every protocol, not just SMTP, while MTA-STS is both specific to e-mail, and stupidly requires an additional web server on every SMTP server.

> and falling

It’s actually rising again, according to your sources.

In recent years, you seem to have dropped all pretense of arguing against the specifics of DNSSEC, which is good, but you have then resorted to argumentum ad populum. However, this is a bad form of argumentation unless you can explain why DNSSEC is not as popular as it could be. For instance, what happened in late 2023 to cause the dip?

The chart is right there upthread for anybody interested to see. No, I haven't dropped any of my arguments against DNSSEC.

(This use of DANE is explicitly described in RFC 7672, section 6.)

Yes, anyone can see the trend has now turned upwards again. Including you, if you would look.