Dane testing and posttls-finger ???

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 9 22:27:01 CEST 2015


On Thu, Apr 09, 2015 at 12:09:39PM -0400, John wrote:

> My resolv.conf points to google (8.8.8.8, 8.8.4.4 + their ipv6 equivalents).

    1. MTAs should run their own caching resolvers, even if they forward
       to another caching resolver upstream (e.g. 8.8.8.8).

    2. If you are doing any RBL lookups, you must not make them via an
       upstream forwarder (avoid looking up RBLs via 8.8.8.8 and friends).

    3. If you want any security from DANE when sending outbound
       email to remote domains, you MUST use a local 127.0.0.1
       resolver that validates DNSSEC record signatures for itself.

       If you're not using 'smtp_tls_security_level = dane', then
       the local resolver is not essential for security, but is still
       a good idea.

-- 
	Viktor.


More information about the dane-users mailing list