Wietse Venema:
> Rich Felker:
> > > It would be a mistake to use TLSA records from an unsigned domain.
> > > That would be no more secure than accepting a random server
> > > certificate. All the pain of doing TLSA and none of the gain, just
> > > security theatre.
> >
> > It's not security theater. It (1) ensures that you do use records for
> > a signed domain even if you were unable to determine it was signed,
> > due to issues like lack of AD bit in musl or stripping of AD bit by
> > glibc default configuration, and (2) makes it so an attacker wanting
> > to MITM needs to be able to do so on DNS channel, not just route to
> > the MX. (For example this might be difficult or impossible for the
> > attacker if DNS is routed over DoH, or if attacker can sit somewhere
> > between client and MX but not between client and the nearest anycast
> > 8.8.8.8.)
>
> Congratulations! You just gave a new definition of security theatre:
> using an unauthenticated channel to distribute trust anchors. You
> can consider libc-musl as unsupported from now on.
Verified on alpine-3.11.5.
alpine:~/postfix-3.6-20200419$ make makefiles
...
Warning: libc-musl breaks DANE/TLSA security.
Use a glibc-based Linux distribution instead.
Remove this test to build unsupported Postfix.
make: *** [Makefile:79: makefiles] Error 1
Wietse
