> On Aug 16, 2019, at 1:29 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > enable DANE outbound: > > http://www.postfix.org/TLS_README.html#client_tls_dane > > main.cf: > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane > > /etc/resolv.conf > # A validating *local* resolver > nameserver 127.0.0.1
I got an off-list suggestion to stress the importance of the validating resolver being *local* to the Postfix server. In addition to improved performance when the DNS cache is local, this avoids potential MiTM attacks that "forge" the AD bit or data of a DNS response. The Postfix DANE code fully trusts answers from the configured resolvers, and only provides meaningful resistance to active attacks when traffic between the validating resolver and Postfix is not vulnerable to modification in transit. And with distant validating resolvers you have no control over the timing and reliability of potential changes in their validation logic. For example, 8.8.8.8 and 8.8.4.4 returned incorrect AD bits for some domains for a few days this past week (now believed resolved). Bottom line, only trust local resolvers you deploy, configure *correctly* and test. -- Viktor.