On Tue, June 23, 2015 17:32, Viktor Dukhovni wrote:
> On Tue, Jun 23, 2015 at 03:19:04PM -0400, James B. Byrne wrote:
>
>> >> smtp_tls_security_level = dane
>> >
>> > Not useful without:
>> >
>> > smtp_dns_support_level = dnssec
>> >
>> > and "127.0.0.1" as the only "nameserver" entry in /etc/resolv.conf
>> > and a validating resolver running on 127.0.0.1. Otherwise, use
>> > "may", not "dane".
>>
>> All MX and delivery hosts have a named instance running on them.
>> Only our internal DNS servers are listed in /etc/resolv.conf on
>> any host. 127.0.0.1 is the first entry in resolv.conf for hosts
>> running a named instance. I do not understand why that should
>> be the only entry however.
>
> DANE is supposed to protect against man-in-the-middle (MiTM) attacks.
> If your DNS queries are over an insecure channel (go off host),
> then the security status of the replies cannot be trusted, and
> there's not much point in doing DANE (unless you expect all the
> attackers to be remote, beyond the nameservers you use, and never
> between the host and its iterative nameserver. That's a rather
> risky assumption.
We run our own name-servers for our domains. In other words we have
the delegation for harte-lyne.ca, harte-lyne.com, and so forth. We
also have the delegation for our cat C netblocks and provide the DNS
reverse lookups form our own name-servers. Our name-servers reside on
the same network segments as our mail servers. All our host
resolvers, not just the mail server hosts, are configured to only use
our internal name-servers by ip address. Those hosts that have an
instance of named running also have 127.0.0.1 listed first.
Given these conditions it is difficult for me to imagine a
circumstance where a mitm attack would be possible. If you can
formulate a scenario then I am most eager to learn it since I am
obviously not aware of every possibility. I regret if I seem obtuse
but this is an area of which I have but little experience.
Sincerely,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
