On 10/04/2015 11:17 PM, Viktor Dukhovni wrote:
On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
3. If you want any security from DANE when sending outbound email to remote domains, you MUST use a local 127.0.0.1 resolver that validates DNSSEC record signatures for itself.done, but why?
Because Postfix trusts whatever resolver it queries, DNSSEC validation is performed only by the resolver. DANE is supposed to protect you from MiTM attacks, but if you trust packets purportedly from 8.8.8.8, you're leaving yourself open to MiTM attacks. Thus DANE via remote trusted resolvers is pointless.
OK, makes sense and I should have been able to answer that one on my own, I am getting old and far too trusting. Or maybe I have been retired too long and am beginning to forget that the internet is a pool full of piranhas. Or much more likely I need to engage brain more often. Anyway, thanks for answering my dumb questions. John A