Am 24.02.2014 19:03, schrieb Dirk Stöcker: > On Mon, 24 Feb 2014, Viktor Dukhovni wrote: > >>> I don't want to have a perfection box which can't communicate with >>> the rest of the world, but something which helps with todays >>> internet. >> >> Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His >> mailserver has TLSA records. Enabling DNSSEC does not prevent you >> from communicating with the rest of the world. Furthermore, you >> can enable DNSSEC validation in your resolver before your own domain >> is signed. The two are independent. > > So what do you think really - How long will it take until 10% of all > mail hosts use DANE/TLSA? Wouldn't it be a good idea to at least > increase security (even a little bit) for what we have now? I'd be happy > when a higher percentage would support TLS at all. > > But you din't answer my question: What harm would it do, when the checks > implemented already to verify certs and domain names and maybe TLS > protocol quality are also executed for "Opportunistic TLS" and the > results printed in the log? > > Would it really be bad when the line > > Feb 24 18:56:04 merkur postfix/smtp[7701]: Trusted TLS connection > established to mail.stoecker.eu[2a01:4f8:d13:3800::1:5]:25: TLSv1 with > cipher ECDHE-RSA-AES256-SHA (256/256 bits) > > contains a note that the server certificate of the connection actually > also matched the domain name written there. > >>> My Registrar said today: >>> "Sorry, currently it is not possible to use DNSSec for domains >>> registered here." >> >> Vote with your feet. I'm transferring my domains to a registrar >> with better DNSSEC support (and incidentally lower price). > > I live in the "hightech country" Germany. Here a 16/1MB DSL line is > extreme highspeed internet, IPV4 is state of the art. I can only dream > of finding providers for more reliable Internet. DNSSEC is actually the > lowest of my problems. > >>> And then I need to hope that users start to use that information, >>> because all this work is completely useless until 100% deployed. My >>> 100 years guess aren't so bad I think. Very unlikely, that this >>> approach will work. >> >> No, DANE secures SMTP transport between publishing servers and >> validating clients regardless of what everyone else is doing. The >> adoption model is incremental. > > Is there a test server I can use to verify correct function? It does not > sound like a good idea to send some test mails to a server without a > permission to do so. > > Even if it seems I can't get more security for my own server or get > better information out of postfix to evaluate the "low quality TLS" > connections it at least would be interesting to setup that support for > sending. Maybe in the next year there even will be an email to one of > these servers. > > Ciao
Hi Dirk Be sure dnssec will spread fast at some point if massive attacks on dns servers will rise more and more. see https://sys4.de/de/blog/2013/10/14/dns-fragment-angriffe-zeit-fur-dnssec/ Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
