On Tue, May 12, 2015 at 12:53:17PM +0200, Emmanuel Thierry wrote: > Hello, > > Le 12 mai 2015 ? 08:54, Gilles Chehade a ?crit : > > >>>> DNSSEC > >>>> > >>> > >>> DANE offers good protection about this, I actually have prototype code for > >>> DANE support in OpenSMTPD but: > >>> > >>> 1- it requires libasr to support DNSSEC, otherwise we just moved the MITM > >>> issue to the DNS protocol ;-) > >>> > >>> 2- DNSSEC is still painful to setup, no one does it unfortunately :-/ > >>> > >> > >> That's cool, do you have it public somewhere? And do you know how much work > >> it would be to support DNSSEC in libasr? > >> > > > > The DANE code ? > > > > Nope, it's nowhere public, it is a proof of concept I wrote last weekend > > to see how much effort would be required in OpenSMTPD to support it. The > > code relies on a hack because the lka.c code needs a huge refactor if we > > want it to fit in. I have started working on it, but right now the focus > > is on the upcoming major release. > > > > As for DNSSEC support in libasr, I have not had a very deep look into it > > so from a quick sight I'd say it's not that much work, I could be wrong. > > IMO, the DNSSEC support in your library would be nice but not a prerequisite > for DANE. You might start proposing the DANE feature without DNSSEC > validation in a first step and accompany it with a big disclaimer : > "In case you activate this feature, we strongly encourage you to deploy on > your server a DNSSEC-validating local resolver" >
Yes, these are two completely separate issues. DANE support in OpenSMTPD requires an invasive and non-trivial refactor, which has nothing to do with either DNSSEC or libasr. It is stricly some internal plumbing, and chances are we will support DANE in a near future long before libasr supports DNSSEC. > Deploying such a resolver locally in not really complex (either to setup or > to manage), for example using unbound, and can constitute a great alternative > while your are developing the DNSSEC validation directly in your library. > This won't work. OpenSMTPD does not query your system resolver, it uses the asr API so it can perform the queries asynchronously and avoid blocking. No matter which resolver you setup at the system level, until libasr has support for DNSSEC, OpenSMTPD won't benefit from DNSSEC. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
