Dane testing and posttls-finger ???
ietf-dane at dukhovni.org
Thu Apr 9 22:27:01 CEST 2015
On Thu, Apr 09, 2015 at 12:09:39PM -0400, John wrote:
> My resolv.conf points to google (184.108.40.206, 220.127.116.11 + their ipv6 equivalents).
1. MTAs should run their own caching resolvers, even if they forward
to another caching resolver upstream (e.g. 18.104.22.168).
2. If you are doing any RBL lookups, you must not make them via an
upstream forwarder (avoid looking up RBLs via 22.214.171.124 and friends).
3. If you want any security from DANE when sending outbound
email to remote domains, you MUST use a local 127.0.0.1
resolver that validates DNSSEC record signatures for itself.
If you're not using 'smtp_tls_security_level = dane', then
the local resolver is not essential for security, but is still
a good idea.
More information about the dane-users