On Mon, Mar 02, 2015 at 01:35:29PM -0500, John C Klensin wrote: > >> > but we can prevent downgrade attacks from succeeding. > > > > If the MTA implements opportunistic DANE TLS, and usable TLSA > > records *are* published, then it MUST use STARTTLS and > > authenticate the peer via said TLSA records. > > > > http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2 > > Victor, [ Well known details elided. ] > Neither DNSSEC nor DANE prevent or detect > those attacks. They may actually be harmful if they give the > user a false sense of security. Since the user is not around for MTA-to-MTA SMTP transmission there is no opportunity for any false sense of security. So I object to a characterization of improved hop by hop transport security as "harmful". This is not the thread to deep dive into that. -- Viktor.