11 Apr
2015
11 Apr
'15
5:17 a.m.
On Fri, Apr 10, 2015 at 10:30:25PM -0400, John Allen wrote:
3. If you want any security from DANE when sending outbound email to remote domains, you MUST use a local 127.0.0.1 resolver that validates DNSSEC record signatures for itself.done, but why?
Because Postfix trusts whatever resolver it queries, DNSSEC validation is performed only by the resolver. DANE is supposed to protect you from MiTM attacks, but if you trust packets purportedly from 8.8.8.8, you're leaving yourself open to MiTM attacks. Thus DANE via remote trusted resolvers is pointless.
--
Viktor.