Zitat von Viktor Dukhovni <[email protected]>:
and not surprisingly into the Postfix DANE implementation, currently
available in the 2.11-20130825 snapshot from www.postfix.org
reading this I tried to verify it.
and: it works!
I have an smtp server with an associated dane record.
A client could establish a trusted tls session without knowing any
root certificates
( empty smtp_tls_CAfile and smtp_tls_CApath )
The trust based only on dnssec and dane.
If I now disable STARTTLS at the server, the client do not send the
message without TLS:
"TLS is required, but was not offered by host ..."
That's a usable downgrade prevention.
Thanks!
Andreas
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
