DNSSEC has been a flop as far as the web/HTTP community is considered. You can read all about the reasons.
That is definitely not the case for email. Mail critically depends on DNS for its security. And in that world, DNSSEC (and DANE) have a much more plausible story. DNSSEC remains the most plausible technique that exists for securing MX records**.
I suspect that we'll see this sort of pattern emerge with other security mechanisms. They will gain traction for some uses, but not others, and more silos will emerge.
I raise this not because I have a specific suggestion, but more to point out that the situation with DNSSEC is a little more nuanced than the current draft implies.
** This MX problem wouldn't exist if, like with HTTP, mail servers were expected to present a certificate valid for their customers domains, but the accepted practice is to only offer certificates for your own domain. On the other hand, that requirement is why CDNs are enthusiastic about secondary certificates; no such mechanism is required for mail.
DNSSEC has been a flop as far as the web/HTTP community is considered. You can read all about the reasons.
That is definitely not the case for email. Mail critically depends on DNS for its security. And in that world, DNSSEC (and DANE) have a much more plausible story. DNSSEC remains the most plausible technique that exists for securing MX records**.
I suspect that we'll see this sort of pattern emerge with other security mechanisms. They will gain traction for some uses, but not others, and more silos will emerge.
I raise this not because I have a specific suggestion, but more to point out that the situation with DNSSEC is a little more nuanced than the current draft implies.
** This MX problem wouldn't exist if, like with HTTP, mail servers were expected to present a certificate valid for their customers domains, but the accepted practice is to only offer certificates for your own domain. On the other hand, that requirement is why CDNs are enthusiastic about secondary certificates; no such mechanism is required for mail.