Dane testing and posttls-finger ???

John Allen john at klam.ca
Sat Apr 11 15:47:54 CEST 2015

On 10/04/2015 11:17 PM, Viktor Dukhovni wrote:
> On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
>>>      3. If you want any security from DANE when sending outbound
>>>         email to remote domains, you MUST use a local
>>>         resolver that validates DNSSEC record signatures for itself.
>> done, but why?
> Because Postfix trusts whatever resolver it queries, DNSSEC validation
> is performed only by the resolver.  DANE is supposed to protect
> you from MiTM attacks, but if you trust packets purportedly from
>, you're leaving yourself open to MiTM attacks.  Thus DANE
> via remote trusted resolvers is pointless.
OK, makes sense and I should have been able to answer that one on my own,
I am getting old and far too trusting. Or maybe I have been retired too 
long and am beginning to forget that the internet is a pool full of 
piranhas. Or much more likely I need to engage brain more often.
Anyway, thanks for answering my dumb questions.
John A

More information about the dane-users mailing list