On Fri, 17 Apr 2015, Stephen Farrell wrote:
My understanding is that some people wanted to experiment with TLSA
without having to have had DNSSEC deployed. But I take your answer
to be that no such behaviour is defined here, which is fine. So
consider this one answered.
I go back and forth with this one. It seems there is no good reason
not to use an insecure trust anchor over no trust anchor, but the UI
would have to be clearly different, which is where the real problem is
I think. We could easilly use unsigned TLSA over completely unverified
TLSA, but it would not be a good test because you cannot accept it as
equal security in the UI without it becoming a downgrade attack.
Those who want to test could add their zone to the DLV, at least for
now - or configure a local trust anchor, if they are okay with a
signed zone without DS record.
I still think I've been answered but just to clarify. The context
here has no UI at all given it's between MTAs.
That's not entirely true, surely the people testing will check
the Received: headers for feedback on how the encryption went.
And the people who
wanted to experiment I believe wanted to play about with no DNSSEC
at all, rather than with local trust anchors for DNS.
That does raise the question of what you are testing? While you might
be able to test whether a transport was encrypted between two mail
servers based on a TLSA key from DNS, you won't be testing whether a
forged or bad DNS entry will cause the email to be queued up for later
to protect it from being sent cleartext or encrypted via a forged key.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
