Am 29.07.2014 um 17:23 schrieb Viktor Dukhovni: > On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote: > >> Hi Viktor, perhaps silly question, I sometimes asked myself why not use >> something like advanced SPF with i.e >> >> IN SPF "v=spf1 mx ip4:1.2.3.4/24 >> TLSPOLICY:require-valid-certificate -all" > > Well SPF records are for policy applied by receiving systems to > sending systems, while the problem at hand is TLS policy that > sending systems should apply to receiving systems. So SPF is > the wrong place to publish the information.
OK > > Generalizing your suggestion to some other DNS record, if it is > not DNSSEC protected (including verified non-existence), then > it serves no purpose since an active attacker can suppress such > a record. To thwart passive attacks, just STARTTLS is enough. makes sense > > Thus DANE, which provides a downgrade-resistant signal of TLS > support, and also publishes the requisite certificate or public > key fingerprints to resist TLS MiTM attacks. > > You're re-inventing DANE... The key observation is that DNS > policy records that are not DNSSEC validated don't add any > value in terms of MiTM resistance. > > The EFF registry presumably publishes the data over a "secure > channel" (https, presumably via a sensibly chosen CA), and once > Postfix policy tables are generated from this data, active attacks > are difficult. > Agree, thx for making this clear ! I am working on enable DNSSEC and DANE here. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
