Dane testing and posttls-finger ???
ietf-dane at dukhovni.org
Sat Apr 11 05:17:28 CEST 2015
On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
> > 3. If you want any security from DANE when sending outbound
> > email to remote domains, you MUST use a local 127.0.0.1
> > resolver that validates DNSSEC record signatures for itself.
> done, but why?
Because Postfix trusts whatever resolver it queries, DNSSEC validation
is performed only by the resolver. DANE is supposed to protect
you from MiTM attacks, but if you trust packets purportedly from
18.104.22.168, you're leaving yourself open to MiTM attacks. Thus DANE
via remote trusted resolvers is pointless.
More information about the dane-users