On Mon, Aug 24, 2015 at 04:57:07AM +0200, Patrik F?ltstr?m wrote:
> > This does not provide adequate MiTM protection, but the draft does
> > not rule out clients that might do this, rather it does not specify
> > use of DANE for this case.
>
> Good, then I am not crazy! :-)
Don't jump to hasty conclusions. :-)
> > The primary use-case would be a provider that is MX hosting lots
> > of domains, many of which are not DNSSEC signed, but the MX hosts
> > are.
>
> Exactly.
It is not clear this is worthwhile, and the security properties
are rather questionable. This might get implemented anyway, as an
optional mitigation against MiTM where for some reason the MiTM
chooses to not modify unsigned DNS. The only visible sign of this
working would be deferred mail when verification of the MX host
fails. There should be no claim of security in the success case.
> I think it is important to be able to tell people they SHOULD ABSOLUTELY
> get DANE for their port 25/465 incoming SMTP servers, regardless of whether
> they have X.509 certs for them or not. When hosting providers have TLSA
> records, then it is only up to the domain holder in such hosting
> environments to sign their zone to get complete protection.
>
> I think it would be unfortunate if we end up in a catch 22 here as well
> regarding DNSSEC deployment.
There is no catch-22. For secure SMTP, sign your domain, and if
hosted by a provider, choose one that signs the provider domain
and publishes TLSA RRs.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
