Postfix supports two mechanisms for resolving hostnames obtained
via MX records. The first is naturally "dns", and this is the only
one used by default, but administrators may choose to enable "native"
hostname lookups so that they reach various internal hosts listed
only in /etc/hosts or similar.
My intention is to only impute TLSA RRset policy to hosts that that
were found in DNS. If a host is found by other means there is
little reason to believe that the (typically) TCP endpoint the
administrator wants us to connect is the same one described in any
TLSA records that happen to end with the same hostname.
There seems to be some nascent effort to address this in
dane-ietf-draft-smtp, but no real text yet. Is there any support
for my tentative assessment of the situation?
Security is nice and all that, but we don't want to break too much
and give security a bad name, with everyone (perhaps rightly) too
afraid to deploy it (deployment should make things better even if
not perfect).
So I would vote for caution, it should be enough to ensure that
DANE TLS describe security on the public Internet for entities
named by DNS and therefore, should not intrude on unrelated
namespaces (scopes).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
