> It turns downgrade attacks into denial of service. DANE-enabled
> clients do not deliver mail in cleartext to servers with published
> TLSA RRs.
Thanks, Victor. Should have re-read TLS_README before asking.
> DO NOT publish stale TLSA records!!!
Errm? No I didn't.
On Tue, Jun 02, 2015 at 03:55:07PM +0200, Olaf Schreck wrote:
> Slightly OT: These slides
>
> > https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf
>
> state on page 26: "DANE TLSA Benefits: prevents STARTTLS "downgrade" attacks"
>
> I'm probably missing something. How does
Slightly OT: These slides
> https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf
state on page 26: "DANE TLSA Benefits: prevents STARTTLS "downgrade" attacks"
I'm probably missing something. How does publication of a TLSA record
prevent STARTTLS downgrade attacks?
Thanks,
On Tue, Jun 02, 2015 at 11:17:55AM +0200, Per Thorsheim wrote:
> Quite a bit of useful info at sys4.de, but in German. Found this english
> translation as a rather quick guide for parts of the process:
> http://noflex.org/implementing-dnssec-dane-email-step-step/
A few comments:
1. Key generati
Thx!
Quite a bit of useful info at sys4.de, but in German. Found this english
translation as a rather quick guide for parts of the process:
http://noflex.org/implementing-dnssec-dane-email-step-step/
.per
Den 02.06.2015 10:47, skrev Danny Horne:
> I think this is what I used...a fair bit of scro
I think this is what I used...a fair bit of scrolling to get to relevant
information but I hope it helps
https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf
On 02/06/2015 9:35 am, Per Thorsheim wrote:
> Cannot find a simple process guide for configuring DANE TLSA support &
>
