On 24 Aug 2015, at 1:17, Viktor Dukhovni wrote: > 5. Unsigned MX, Signed A/AAAA, TLS used with cert validated with signed TLSA > (i.e. trusted cert) > > > This does not provide adequate MiTM protection, but the draft does > not rule out clients that might do this, rather it does not specify > use of DANE for this case.
Good, then I am not crazy! :-) > If enough users want this, such features > could be added to Postfix. The delivery is not immune to active > attacks, but arguably somewhat stronger than ignoring such TLSA > RRs. > > The primary use-case would be a provider that is MX hosting lots > of domains, many of which are not DNSSEC signed, but the MX hosts > are. Exactly. I think it is important to be able to tell people they SHOULD ABSOLUTELY get DANE for their port 25/465 incoming SMTP servers, regardless of whether they have X.509 certs for them or not. When hosting providers have TLSA records, then it is only up to the domain holder in such hosting environments to sign their zone to get complete protection. I think it would be unfortunate if we end up in a catch 22 here as well regarding DNSSEC deployment. Patrik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
