On Sat, Apr 18, 2020 at 01:04:58PM -0400, Rich Felker wrote:
> It's not security theater because nobody's claiming it's secure.
> Rather it's a fairly weak form of hardening that increases the
> required capabilities an attacker needs to exploit a known-insecure
> system.
FWIW, Postfix in fact defaults to using the DNSSEC-signed TLSA records
of MX hosts in signed zones even when the next hop domain (generally
same as the recipient domain) is not signed, and in that case we don't
log a secure delivery, but the TLSA RRs are honoured.
http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy
We can't do that when the MX host is an unsigned zone, in part because
then TLSA lookups are too unreliable, and in part because it would
actually violate the RFCs in a substantive way. An MX-host domain owner
who wants to stop advertising DANE TLSA is not obligated to remove the
TLSA records, it is sufficient to stop signing the zone. We can't break
that "contract" and enforce TLSA RRs which the (MX host) domain owner
has effectively disclaimed.
--
Viktor.
