On Sun, Aug 23, 2015 at 08:30:10PM +0200, Patrik Fältström wrote: > This is a bit confusing to me. I.e. the terminology is confusing. To me, [2] > has proper DANE validated TLS available for the SMTP connection. > > But I completely agree there is an MiM possible for the unsigned MX. Just > like we have today. And why we want DNSSEC deployed.
If we'd only be worried about a passive attacker, we'd not address the spoofed MX RR, but we'd want the SMTP connection encrypted. In that case (passive only), opportunistic (pre DANE) STARTTLS would be sufficient. If we'd worry enough about active attacks, we'd want the endpoint identity verified (thus DANE[1]) as well as its capabilities (thus DANE[2]), and at the same time we'd probably prefer (or even demand) signed/validated MX RRs. Apparently there are multiple potential attackers of different background, motivation, and means. If your enemy is the helpful corporate firewall that intercepts SMTP to 'optimize away' STARTTLS, maybe its next version will 'enhance' MX responses? -Peter _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
