On Sun, Mar 01, 2015 at 10:21:33AM -0500, Phillip Hallam-Baker wrote:
> On Sat, Feb 28, 2015 at 5:27 PM, Mark Andrews <marka@xxxxxxx> wrote:
>
> >
> > And that is coming "_25._tlsa" and it uses DNSSEC to prevent the
> > downgrade.
Typo fix: that "_25._tlsa" is of course "_25._tcp".
> > Whether your MTA uses STARTTLS or not is another matter
> > but we can prevent downgrade attacks from succeeding.
If the MTA implements opportunistic DANE TLS, and usable TLSA
records *are* published, then it MUST use STARTTLS and authenticate
the peer via said TLSA records.
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2
> In particular make it possible to explicitly specify criteria such as 'use
> TLS transport' or 'XYZ authentication is required'.
For both MX and SRV the DANE WG has settled on publication of TLSA
RRs to signal both "TLS is required" and "DANE authentication is
required".
--
Viktor.