Re: DANE and TLSA

Tue, 11 May 2021 18:29:26 -0700 

On Tue, May 11, 2021 at 08:21:50PM -0400, post...@ptld.com wrote:

> It is my understanding if you publish DANE and TLSA records not only 
> must you be using DNSSEC (Which most big companies don't) but then your 
> mail server will not accept mail from anyone not using TLS 1.2+.

This is wrong.

  1. It is not the case that publishing DANE TLSA records forces anyone
     to use DNSSEC.  Rather, DANE records are simply ignored unless the
     server's zone is signed, and the client uses a validating resolver
     and supports DANE.

  2. It is not the case that servers with DANE TLSA records reject
     non-TLS email.  DANE SMTP is an *opportunistic* protocol, in which
     TLS enforcement is up to the client, and only when TLSA records are
     found.  See RFC7672 (Section 1.3) and RFC7435.

     RFC7435: https://datatracker.ietf.org/doc/html/rfc7435

       This document defines the concept "Opportunistic Security" in the
       context of communications protocols.  Protocol designs based on
       Opportunistic Security use encryption even when authentication is not
       available, and use authentication when possible, thereby removing
       barriers to the widespread use of encryption on the Internet.

     RFC 7672: https://datatracker.ietf.org/doc/html/rfc7672

       This memo describes a downgrade-resistant protocol for SMTP transport
       security between Message Transfer Agents (MTAs), based on the DNS-
       Based Authentication of Named Entities (DANE) TLSA DNS record.
       Adoption of this protocol enables an incremental transition of the
       Internet email backbone to one using encrypted and authenticated
       Transport Layer Security (TLS).

> Why would you want to do that and block receiving some mail?

DANE only adversely impacts email delivery when TLSA records are wrong.
Publishing correct TLSA records does not impair email delivery, unless
you happen to deploy an ancient TLS stack that only supports TLS 1.0,
and the client supports DANE, but supports only TLS 1.2 and up.

The problem scenarios are operator negligence.  There are many other
ways to be negligent and screw up your mail.  That said, if you're
struggling to manage your system, and mostly neglect it, then DANE is
likely not for you...  It is for competent operators who are willing to
put in some effort to get better email security.

> Or did i misunderstand how it works?

Mostly this.

-- 
    Viktor.

Reply via email to