[Wolves] DNS management du jour

Carles Pina i Estany carles at pina.cat
Fri Sep 29 09:32:30 UTC 2023


On 29 Sep 2023 at 10:28:09, Simon Burke via Wolves wrote:
> On Fri, 29 Sept 2023 at 10:13, Carles Pina i Estany via Wolves <
> wolves at mailman.lug.org.uk> wrote:
> >
> >
> > > If anyone wants a short talk about DNS based Mail 'security' (SPF, DKIM,
> > > DMARC, DANE), I probably need to get one made for work shortly anyway :D,
> > > so I'm happy to 'do one' :)
> >
> > I don't see how it can be "short" and then "DNS based Mail 'security'
> > (SPF, DKIM, DMARC, DANE)". To me this is impossible :-D
> >
> > I am interested, I would try to attend. If it's online I would hope that
> > it's easy to attend (if you welcome someone from the SLUG group :-D) ,
> > if it's physical depends on the day and place (perhaps Telford is a good
> > place, at least for me, from Market Drayton). No idea of concrete places
> > though!
> >
> It would be online rather than physical, unless there was a demand for the
> LUG to start doing talks again?
> But as this is partly a personal development thing for me, as I hate
> speaking in front of people, I'd find online a lot easier.
> NB, Knowledge transfer is also important to me.

online works, of course! and even better if you prefer it :)

> The subject area is not actually that bad:
> (drastic over-simplifications ahead):
> It's an important distinction that all these DNS records are informational,
> and no receiving server/provider actually has to adhere to what you state
> in these records.
> SPF: A list of servers that send mail on behalf of a domain (and what
> should be done to emails that are from said domain, which not originating
> from a listed hosts/networks).
> DKIM: digitally signing body and/or headers of an email with a publicly
> available pub key stored in DNS.
> DMARC: A DNS records that states what to do if both the above fail,
> including reporting to a specific address. There are fun things like being
> able to request only report a percages of email etc.
> DANE: (A little more complicated, whilst I get my head around it). Ability
> to authenticate sending and receiving mail servers, through publication of
> a DNS TLSA records (which should be DNSSEC signed). Where TLSA records are
> used to associate a TLS server certificate or public key with the domain
> name where the record is found. This in theory should prevent MITM attacks
> etc.

I use (personal system) SPF, DKIM and DMARC. Perhaps you are right: the
concepts can be explained shortly but the configuration and tools is
where I spent more time.

I do it for "fun" (well, family server).

DANE is new for me :-)

Carles Pina i Estany
https://carles.pina.cat || Wiktionary translations: https://kamus.pina.cat

More information about the Wolves mailing list