On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I don't want to have a perfection box which can't communicate with
the rest of the world, but something which helps with todays
internet.
Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
mailserver has TLSA records. Enabling DNSSEC does not prevent you
from communicating with the rest of the world. Furthermore, you
can enable DNSSEC validation in your resolver before your own domain
is signed. The two are independent.
So what do you think really - How long will it take until 10% of all mail
hosts use DANE/TLSA? Wouldn't it be a good idea to at least increase
security (even a little bit) for what we have now? I'd be happy when a
higher percentage would support TLS at all.
But you din't answer my question: What harm would it do, when the checks
implemented already to verify certs and domain names and maybe TLS
protocol quality are also executed for "Opportunistic TLS" and the
results printed in the log?
Would it really be bad when the line
Feb 24 18:56:04 merkur postfix/smtp[7701]: Trusted TLS connection established
to mail.stoecker.eu[2a01:4f8:d13:3800::1:5]:25: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
contains a note that the server certificate of the connection
actually also matched the domain name written there.
My Registrar said today:
"Sorry, currently it is not possible to use DNSSec for domains
registered here."
Vote with your feet. I'm transferring my domains to a registrar
with better DNSSEC support (and incidentally lower price).
I live in the "hightech country" Germany. Here a 16/1MB DSL line is
extreme highspeed internet, IPV4 is state of the art. I can only dream of
finding providers for more reliable Internet. DNSSEC is actually the
lowest of my problems.
And then I need to hope that users start to use that information,
because all this work is completely useless until 100% deployed. My
100 years guess aren't so bad I think. Very unlikely, that this
approach will work.
No, DANE secures SMTP transport between publishing servers and
validating clients regardless of what everyone else is doing. The
adoption model is incremental.
Is there a test server I can use to verify correct function? It does not
sound like a good idea to send some test mails to a server without a
permission to do so.
Even if it seems I can't get more security for my own server or get better
information out of postfix to evaluate the "low quality TLS" connections
it at least would be interesting to setup that support for sending. Maybe
in the next year there even will be an email to one of these servers.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
