Letter to Microsoft DNSSEC and DANE support ano
Content
Agendapunt: 4G
Documentnummer: FS-20200506.4G
Download hier de PDF versie van dit vergaderstuk. Wij kunnen de digitale toegankelijkheid van het PDF bestand niet garanderen.
Rechten:CC0 publieke domein verklaring
Information Management and Procurement Department
Turfmarkt 147
2511 DP The Hague Postbus 20301
2500 EH The Hague www.rijksoverheid.nl/jenv
Please quote date of letter and our ref. when replying. Do not raise more than one subject per letter.
Dear Mr Stigter,
Thank you for your letter dated March 3, 2020, regarding “DNSSEC DANE support status update”. We are pleased that Microsoft decided to natively support DNSSEC and DANE in Office 365 Exchange Online. We very much look forward to the announced outbound DANE support (validation) in 2020 and inbound DANE support (publishing) in 2021.
The forthcoming support will be appreciated by many of your (potential) customers, including the Dutch central government and other governments, that have requested DNSSEC and DANE support. Microsoft’s plans also align well with the market uptake. Since our letter on August 30, 2019, regarding “Information on Dutch government’s position on DNSSEC and DANE (for secure mail transport)”, the number of domains that are DANE-enabled has grown from 1.2 to over 1.8 million. Furthermore vendors like Cisco, Proofpoint/Cloudmark and PowerMTA also chose to support DANE and Google offers alternative DNSSEC- signed MX domains for G Suite.
As already explained in our letter on August 30, 2019, the Dutch government considers DANE and underlying DNSSEC crucial standards in order to better protect email communications. Therefore, both standards have been made mandatory within the Dutch government and are part of the governmental baseline for information security that was enacted by the Dutch Council of Ministers.
We are aware of both MTA-STS and ‘relay gateway options for DANE support’ that you mention as interim solutions. As mentioned before, MTA-STS is relatively new and less secure than DANE (because of 'trust on first use') which is acknowledged in the MTA-STS specification. Relay gateways add complexity and costs. Considering security, complexity and cost concerns we believe native DNSSEC and DANE support in Office 365 Exchange Online and other email platforms is crucial, and we are glad you are committed to implement it.
When support is available, Dutch government organizations that use Microsoft Office 365 Exchange online service will be compliant with relevant regulations and standards. However, currently Dutch governments that use Office 365 Exchange Online (without any additional DANE handling relay gateway) are still not compliant. These governments unfortunately have not met the set deadline to implement DANE for the end of 2019. This also appears from our recent measurement in the beginning of March 2020.
As discussed with you before, the latest measurement results and bottlenecks will soon be reported to the highest official, inter-administrative body on digital government policy (Overheidsbreed Beleidsoverleg Digitale Overheid, OBDO) and also to the Dutch House of Parliament. In the context of our measurement report we will make a statement about Microsoft’s current position with regards to the support of DNSSEC and DANE in Office 365 Exchange online that is based on the content of your letter on March 3, 2020. Furthermore we plan to inform individual Dutch government organizations and our fellow European governments on your plans and timeline for DNSSEC and DANE support.
In the light of the above it would be helpful if you could make a public statement or a statement that can be communicated to your government customer base on your planned support for DNSSEC and DANE. We believe lack of publicly available information on this issue delays deployment of Office 365 service even further, increases cost significantly and lowers our return on investment in Microsoft products and services. If it is not feasible for you to provide such a statement before April 3, 2020, given our public position and responsibility as a government, we feel compelled to refer to the statement in your latest letter dated March 3, 2020 in our communications on this matter.
Lastly, we would like to keep in touch with you on this and we ask you to regularly inform us on your progress.
Looking forward to your reply.
Kind regards,
Strategic Vendor Manager Microsoft for the Dutch Central Government
Chair Forum Standardization