nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: Bjørn Mork via NANOG <nanog () lists nanog org>
Date: Mon, 19 May 2025 09:20:43 +0200
John Levine via NANOG <nanog () lists nanog org> writes:


MTA-STS does the same thing more kludgily for people who don't like DNSSEC.


What if I don't like public CA certificates for email servers?

Will MTA-STS stay optional, or will it be "optional" like DKIM and SPF?

AFAICS, we did not need MTA-STS.  It is an attempt to solve the same
problem DANE solved a long time ago, but adding several new problems:

 - server and client must agree on trusted CAs, but the list is
   unspecified
 - the spec mandates not only a special purpose DNS policy label
   ("_mta-sts"), but also special purpose host name ("mta-sts")
 - the latter name must also have a certificate
 - configuration and operation is way more complicated than DANE,
   requiring a web server in addition to DNS configuration
 - the web server is a single point of failure in the design, and must be
   duplicated in different ASes if you want anything resembling DANE
   robustness
 - the web server is just smoke and mirrors, adding nothing to the
   provided trust.  MTA-STS is only as trustworthy as the _mta-sts and
   mta.sts DNS records.  DNSSEC is required in practice if you are going
   to trust them. But why do you need MTA-STS if you can do DANE?

These problems are worse for small sites than for the dominant players.
Just like DMARC/SPF/DKIM policies, small sites are mistrusted unless
they implement *all* available protection mechanisms.  So they can't
choose between DANE and MTA-STS.  They have to do both.  And where the
dominant players run their own CA which they force others to trust, the
small site has to carefully select some CA which is trusted by every
MTA-STS service out there. The operational cost of a redundant web
service is pretty much independent of email volume. It will be
significant if you run a low volume email server.

I guess it is possible that this is just an accident. Hanlon's razor
etc.  But traditional Internet email handled by small single domain
servers has been under attack for a long time.  The effect of MTA-STS is
yet another hard blow.  And given DANE, this is the *only* effect.

Why don't we just deprecate MTA-STS and make DANE mandatory, while it is
still possible?



Bjørn
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/XVASCH23N2H6GEFFH4OR2A3CF4YB5FR3/
Previous By Date Next
Previous By Thread Next

Current thread: