On Fri, Apr 17, 2020 at 06:59:53PM -0400, Wietse Venema wrote: > Rich Felker: > > I can see where it could be desirable to log whether delivery was made > > based on a TLSA record in a signed domain vs an unsigned one, and this > > necessitates being able to see the AD bit or equivalent. But it does > > not justify dropping all protections if you can't see it, just > > dropping the ability to log (or rather, warning in the log that all > > records look like potentially-unsigned ones). > > It would be a mistake to use TLSA records from an unsigned domain. > That would be no more secure than accepting a random server > certificate. All the pain of doing TLSA and none of the gain, just > security theatre.
It's not security theater. It (1) ensures that you do use records for a signed domain even if you were unable to determine it was signed, due to issues like lack of AD bit in musl or stripping of AD bit by glibc default configuration, and (2) makes it so an attacker wanting to MITM needs to be able to do so on DNS channel, not just route to the MX. (For example this might be difficult or impossible for the attacker if DNS is routed over DoH, or if attacker can sit somewhere between client and MX but not between client and the nearest anycast 8.8.8.8.) Rich
