On 10/04/2015 11:17 PM, Viktor Dukhovni wrote:
On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
3. If you want any security from DANE when sending outbound
email to remote domains, you MUST use a local 127.0.0.1
resolver that validates DNSSEC record signatures for itself.
done, but why?
Because Postfix trusts whatever resolver it queries, DNSSEC validation
is performed only by the resolver. DANE is supposed to protect
you from MiTM attacks, but if you trust packets purportedly from
8.8.8.8, you're leaving yourself open to MiTM attacks. Thus DANE
via remote trusted resolvers is pointless.
OK, makes sense and I should have been able to answer that one on my own,
I am getting old and far too trusting. Or maybe I have been retired too
long and am beginning to forget that the internet is a pool full of
piranhas. Or much more likely I need to engage brain more often.
Anyway, thanks for answering my dumb questions.
John A
