I wonder how long it'll be before large companies require DNSSEC (and verify) + TLS for delivering email 2FA codes.
My guess is never, despite the relative ease that those codes can be spied upon.
Conversation
Replying to
Need TLSA records (DANE) in addition to DNSSEC to provide TLS authentication for email.
MTA-STS is a much weaker approach. Requires DNS records and an HTTPS web server which it uses to fetch an mta-sts.txt file similar to dynamic (no preload) HSTS if you only used http:// URLs.
DANE is really easy to deploy if you're already using DNSSEC on the domains receiving mail and your MX domain(s). You just add a single TLSA record pinning leaf key for the MX server federation port and then you can add another alongside it when phasing in a key for rotation.
1
2
Can set TTL low and then it's not a big deal if you screw up the TLSA key rotations, especially since mail servers are required to retry sending mail multiple times on temporary failures such as failing to connect/auth by the standard and usually spend a long time retrying.
1
2
Show replies
Replying to
Yes, I was thinking of mentioning TLSA records, but so many people don't even do the few I mentioned. (I have TLSA records deployed for my mail server, but I don't know if my MTA will check and verify the TLSA record?).
2
On that last point, has anyone setup a server that has things like broken TLSA records to test to see if you server does proper verification of the different parts (bad DNSSEC record, mismatched TLSA record, etc)? Seems like a useful thing to have.
1
1
Show replies