Hello, Le 12 mai 2015 à 08:54, Gilles Chehade a écrit :
>>>> DNSSEC >>>> >>> >>> DANE offers good protection about this, I actually have prototype code for >>> DANE support in OpenSMTPD but: >>> >>> 1- it requires libasr to support DNSSEC, otherwise we just moved the MITM >>> issue to the DNS protocol ;-) >>> >>> 2- DNSSEC is still painful to setup, no one does it unfortunately :-/ >>> >> >> That's cool, do you have it public somewhere? And do you know how much work >> it would be to support DNSSEC in libasr? >> > > The DANE code ? > > Nope, it's nowhere public, it is a proof of concept I wrote last weekend > to see how much effort would be required in OpenSMTPD to support it. The > code relies on a hack because the lka.c code needs a huge refactor if we > want it to fit in. I have started working on it, but right now the focus > is on the upcoming major release. > > As for DNSSEC support in libasr, I have not had a very deep look into it > so from a quick sight I'd say it's not that much work, I could be wrong. IMO, the DNSSEC support in your library would be nice but not a prerequisite for DANE. You might start proposing the DANE feature without DNSSEC validation in a first step and accompany it with a big disclaimer : "In case you activate this feature, we strongly encourage you to deploy on your server a DNSSEC-validating local resolver" Deploying such a resolver locally in not really complex (either to setup or to manage), for example using unbound, and can constitute a great alternative while your are developing the DNSSEC validation directly in your library. Best regards Emmanuel Thierry -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
