[Wolves] DNS management du jour

Simon Burke simon at samandsimon.co.uk
Fri Sep 29 09:28:09 UTC 2023 

On Fri, 29 Sept 2023 at 10:13, Carles Pina i Estany via Wolves <
wolves at mailman.lug.org.uk> wrote:

>
>
> > If anyone wants a short talk about DNS based Mail 'security' (SPF, DKIM,
> > DMARC, DANE), I probably need to get one made for work shortly anyway :D,
> > so I'm happy to 'do one' :)
>
> I don't see how it can be "short" and then "DNS based Mail 'security'
> (SPF, DKIM, DMARC, DANE)". To me this is impossible :-D
>
> I am interested, I would try to attend. If it's online I would hope that
> it's easy to attend (if you welcome someone from the SLUG group :-D) ,
> if it's physical depends on the day and place (perhaps Telford is a good
> place, at least for me, from Market Drayton). No idea of concrete places
> though!
>

It would be online rather than physical, unless there was a demand for the
LUG to start doing talks again?
But as this is partly a personal development thing for me, as I hate
speaking in front of people, I'd find online a lot easier.
NB, Knowledge transfer is also important to me.


The subject area is not actually that bad:
(drastic over-simplifications ahead):

It's an important distinction that all these DNS records are informational,
and no receiving server/provider actually has to adhere to what you state
in these records.

SPF: A list of servers that send mail on behalf of a domain (and what
should be done to emails that are from said domain, which not originating
from a listed hosts/networks).
DKIM: digitally signing body and/or headers of an email with a publicly
available pub key stored in DNS.
DMARC: A DNS records that states what to do if both the above fail,
including reporting to a specific address. There are fun things like being
able to request only report a percages of email etc.
DANE: (A little more complicated, whilst I get my head around it). Ability
to authenticate sending and receiving mail servers, through publication of
a DNS TLSA records (which should be DNSSEC signed). Where TLSA records are
used to associate a TLS server certificate or public key with the domain
name where the record is found. This in theory should prevent MITM attacks
etc.


Thanks,
Simon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20230929/9d50b20d/attachment.htm>

More information about the Wolves mailing list