On Tue, Feb 11, 2025 at 09:12:16AM +0100, Danjel Jungersen via Postfix-users
wrote:
> On 11-02-2025 08:28, Viktor Dukhovni via Postfix-users wrote:
> > On Mon, Feb 10, 2025 at 04:14:36PM +0100, Danjel Jungersen via
> > Postfix-users wrote:
> >
> > > I have decided to give it a shot.
> > When you say "give it a shot", do you mean enabling DANE*outbound* in
> > your Postfix SMTP client, i.e. verify the DANE TLSA records of remote
> > domains that have implemented it?
> >
> > If so, that's pretty simple, you need a local DNSSEC validating resolver
> > (BIND, unbound, knot, not systemd-resolved or dns-masq).
> > Then just:
> >
> > /etc/resolv.conf
> > nameserver 127.0.0.1
> > # Glibc-specific
> > options trust-ad
>
> In short, what does this do?
> (the options part....)
>
> I have in-house bind running and put the ip's at the nameserver part. Been
> working for some weeks now.
>
> A quick google show me a warning that the options part only works with
> 127.0.0.1, is this correct?
> My bind is running on another machine.
Use a validating resolver on the local machine as a cache that forwards
to that upstream. You SHOULD NOT trust the AD bit from a resolver
running on another machine, the DNS protocol (DoH aside, when you
fully trust the upstream) is not immune to MiTM attacks.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
