Am 22.02.2013 17:06, schrieb Viktor Dukhovni:
> On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
>>> We are trying to establish enforced TLS with a partner that hosts about
>>> 2000 recipient domains. All of these point to the same four MX records:
>>> As I did not want to specify all of these domains in our tls_policy
>>> file, I wanted to ask if there is any option to enforce TLS by those MX
>> Surely, the policy table is indexed by MX hostname as well as
>> recipient domain.
> No, it is not. Only the nexthop domain is used since the MX host
> is derived from unauthenicated MX lookups and is trivially subject
> to MITM attacks.
So it would have the same "quality" as the "encrypt" action, no?
Something between 0 and 100, that could be explicitly mentioned in the
docs. Doesn't help with a MITM but keeps out the firewall/provider guy
with debug/snoop/tcpdump - and your idp of course :-(
But I understand the point and agree with it although it doesn't make me
very happy. We are replacing an interconnection between some companies
with several 1000s of domains (actively used, frequently enhanced) via
leased lines. This required (and unfortunately still requires) a
database for domain exchange and some kind of 'administrative
discipline' to keep it updated in time. My expectation is that DNSSEC
will be globally used before the last point is going to function properly ;)