Re: Some DNSSEC/DANE questions

Mon, 03 Jan 2022 06:23:08 -0800 

On Mon, Jan 03, 2022 at 05:49:05AM -0800, Dan Mahoney (Gushi) wrote:

> We run validating resolvers at the day job, but by default not on the box 
> where postfix runs.  (I.e. we rely on the AD bit).

"Relying in the AD bit" is independent of whether the validating
resolver is local or remote.  However, it is only secure when it is
local.  You get no security if "remote" means across the public
Internet, operated by some third party provider.  When remote is a
nearby resolver on an internal LAN, you may still be vulnerable in
some ways.

The only sound approach is to use a local (loopback network) validating
resolver, and if desirable have it forward queries to a nearby shared
resolver, whose replies are locally revalidated.

> In reading over what's required to enable DANE support in postfix, I see 
> that there's a compile-time requirement for the DNS lib in the OS to 
> support it, which our OS does according to resolv.h.  I don't see any 
> options in the port to enable/disable this feature.

Most extant Unix-like systems have a DNS stub resolver that supports
DNSSEC queries.  Postfix just needs the AD bit set in requests, but
the legacy libresolv API only supports setting the DO bit, which is
more than strictly necessary.

> Is there a -V command or something I can have postfix log to see if this 
> is the case?  Also, is there a way to add a header implying the status of 
> a DANE lookup to outbound mail?

If you enable DNSSEC lookups, Postfix will log a warning when the root
zone appears unsigned.  See:

    http://www.postfix.org/postconf.5.html#dnssec_probe

    This feature is available in Postfix 3.6 and later. It was
    backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. 

I can't promise that any particular "distro" Postfix build of Postfix
prior to 3.6 necessarily merged the backport patch in question.

> If you've set smtp_tls_security_level=dane, but haven't set 
> smtp_dns_support_level=dnssec, is a warning logged?

Yes:

    if (!(smtp_host_lookup_mask & SMTP_HOST_FLAG_DNS)
        || smtp_dns_support != SMTP_DNS_DNSSEC) {
        dane_incompat(tls, iter, NONDANE_CONFIG,
                      "%s: %s configured with dnssec lookups disabled",
                      STR(iter->dest), policy_name(tls->level));
        return;
    }

-- 
    Viktor.

Reply via email to