On Tue, Jan 06, 2015 at 11:36:08PM +0100, Jean Bruenn wrote:
> I'd like to use DANE but since my registrar has no support for DNSSEC
> stuff yet (they're working on that) I am using DLV (dlv.isc.org) for now.
> Now I'd like to use that with Postfix and for that to work I assume that
> other sites needs to use DLV verification as well.
Correct. DANE support is a client-side only matter. SMTP clients
sending email to your domain will only make use of DANE if they
support DLV. My email server, for example, specifically does not
support the ISC DLV. With the root zone and most TLDs signed, I
don't think it makes sense to use it anymore.
> What happens if they don't?
They'll send email to your domain without DNSSEC or DANE.
> Verification will fail and the mail is rejected?
Of course not. All that happens is that email transmission to your
domain is more vulnerable to MiTM attacks.
> Basically I want to know if it is safe to implement DANE with
> DLV.
Safe, but largely pointless. By the time enough domains enable
client-side DANE support for this to matter to you, the ISC DLV
may be substantially obsolete.
While DLV is enabled in typical configurations of BIND and unbound
with DNSSEC, I personally make the effort to disable it.
--
Viktor.
