Loading ...
Sorry, an error occurred while loading the content.

291616Re: Running namecache service on postfix server?

Expand Messages
  • Robert Moskowitz
    Feb 27, 2013
    • 0 Attachment
      On 02/27/2013 01:21 AM, Viktor Dukhovni wrote:
      > On Tue, Feb 26, 2013 at 08:57:51PM -0500, btb@... wrote:
      >>> When Postfix support for DANE (RFC 6698) is introduced, there will
      >>> be a requirement to operate a local nameserver that is DNSSEC aware
      >>> on any machine that wants to take advantage of peer certificate details
      >>> published via DNSSEC to scalably deliver verified TLS email to many
      >>> sites without the overhead of local per-site configuration.
      >> Why must the nameserver be local?
      > Very easy. If the server is *not* local, you should not trust the
      > AD-bit in its responses without authenticating the nameserver via
      > something like TSIG.
      > I am not going to bloat Postfix with TSIG support, this would be
      > really silly, when a local cache can take care of that. A fortiori
      > I am not going to bloat Postfix with its own RRSIG-validing DNSSEC
      > support. Therefore, Postfix support for DANE will be sensibly
      > predicated on a *local* DNSSEC verifying cache.
      > Unless we add code to check that the resolv.conf in fact only
      > contains local servers (I am disinclined to do that also), you will
      > be able to "break the warranty" and trust the AD-bit from non-local
      > nameservers by telling Postfix to enable DANE even with a resolv.conf
      > that points to remote servers. If you do that, you only have yourself
      > to blame when lack of TSIG, ... makes it possible to MITM your
      > server's ostensibly "secure" email deliveries.

      Ah, thought there was a MITM lurking around the corner if DNS server not
      local. Thank you for the details.

      > All, I can say (and will say in the documentation) is that you've
      > been warned. Since the fields of "_res" other than "_res.options"
      > are not generally documented, there is no reasonable way to perform
      > a run-time check that the configured nameservers consist of just
      > and/or ::1.

      I had to add listen on the server's IP addresses. Some services require

      > So the plan is to document the warning clearly
      > in all the relevant documents, and leave the rest to the administrator's
      > ability to restrain himself from folly.
      > Perhaps "postfix check" could generate a warning if DANE is enabled
      > and non-local nameservers are found in /etc/resolv.conf (or and/or
      > its chroot-jail version).

      My main DNS server is no longer chrooted, as selinux is claimed to be
      better protection. And people better at OS security than I have vetted it.

      But with this, I realize that I have had to turn off selinux on my mail
      server. Or rather I have not found selinux assistance for all the
      services needed on a mail server that 'does it all'. Therefore got to
      add chroot for bind.
    • Show all 25 messages in this topic