Dane testing and posttls-finger ???
john at klam.ca
Sat Apr 11 15:47:54 CEST 2015
On 10/04/2015 11:17 PM, Viktor Dukhovni wrote:
> On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
>>> 3. If you want any security from DANE when sending outbound
>>> email to remote domains, you MUST use a local 127.0.0.1
>>> resolver that validates DNSSEC record signatures for itself.
>> done, but why?
> Because Postfix trusts whatever resolver it queries, DNSSEC validation
> is performed only by the resolver. DANE is supposed to protect
> you from MiTM attacks, but if you trust packets purportedly from
> 22.214.171.124, you're leaving yourself open to MiTM attacks. Thus DANE
> via remote trusted resolvers is pointless.
OK, makes sense and I should have been able to answer that one on my own,
I am getting old and far too trusting. Or maybe I have been retired too
long and am beginning to forget that the internet is a pool full of
piranhas. Or much more likely I need to engage brain more often.
Anyway, thanks for answering my dumb questions.
More information about the dane-users