|
|
|
|
|
|
by teddyh
941 days ago
|
|
|
> The IP lookups to connect to your MX host needs to be DNSSEC-protected Really? It does not seem necessary to require this. I mean, the security is guaranteed by the public keys in the TLSA records, right? Yes, the MX lookup and the TLSA lookups must be DNSSEC signed, but does DANE actually require the A/AAAA lookup of the server name in the MX record to also be DNSSEC signed? It does not seem necessary from a security standpoint. |
|
|
Apparently, some DNS servers would not respond at all to requests for TLSA records (probably fixed in the software by now, but some infra may still run old software). If a sending mail server would request TLSA records, not receive a response, it would have to assume DANE _may_ be required, and abort the delivery attempt. This would lead to mail being undeliverable due to those old DNS servers. Such old DNS servers probably wouldn't be set up for DNSSEC, and with this workaround, the TLSA records wouldn't be requested, so there would be no lookup failure that blocks delivery.
See the paragraphs after the enumeration in https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2