> Am 07.01.2015 um 00:18 schrieb Viktor Dukhovni <postfix-us...@dukhovni.org>: > >> On Tue, Jan 06, 2015 at 11:36:08PM +0100, Jean Bruenn wrote: >> >> I'd like to use DANE but since my registrar has no support for DNSSEC >> stuff yet (they're working on that) I am using DLV (dlv.isc.org) for now. >> Now I'd like to use that with Postfix and for that to work I assume that >> other sites needs to use DLV verification as well. > > Correct. DANE support is a client-side only matter. SMTP clients > sending email to your domain will only make use of DANE if they > support DLV. My email server, for example, specifically does not > support the ISC DLV. With the root zone and most TLDs signed, I > don't think it makes sense to use it anymore. >
What happens if I send an email to your Mailserver if there is no DS-record for my domain in eu (which is why I use dlv - I added the dnskey of a .eu testdomain there) the same as explained below (no mail loss)? >> What happens if they don't? > > They'll send email to your domain without DNSSEC or DANE. > >> Verification will fail and the mail is rejected? > > Of course not. All that happens is that email transmission to your > domain is more vulnerable to MiTM attacks. > >> Basically I want to know if it is safe to implement DANE with >> DLV. > > Safe, but largely pointless. By the time enough domains enable > client-side DANE support for this to matter to you, the ISC DLV > may be substantially obsolete. I see. If I understand correctly it does help in cases like mine if the registrar for example has no dnssec support yet? Jean
