Ok. That makes sense.
DNSSEC already protects my DNS records from spoofing. So I believe all my DNS records are secure when I enable DNSSEC.
My domain is
dombox.org and if I have mx records like
then those MX records are already protected from forgery since I have now enabled DNSSEC.
Now I need to add DANE TLSA record to let the world know that my port 25 supports STARTTLS. So clients can detect downgrade issues.
The TLSA records looks like this.
25._
tcp.mx1.dombox.org. IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68
25._
tcp.mx2.dombox.org. IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68
25._
tcp.mx3.dombox.org. IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68
25._
tcp.mx4.dombox.org. IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68
25._
tcp.mx5.dombox.org. IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68
I think we can can simplify that part via CNAME record. But, let's not go there.
Now my first question is, does that "fingerprint" adds any security in a "Third party CA" system? Or it's there just to be compatible with the DANE system since DANE is not a mail specific system?
My second question, if my MX records are configured to use google MX servers (e.g.
aspmx.l.google.com) whose job is to configure those DANE TLSA records?
Google or Me?
I believe it's not my job. Because there is no easy way I can have Google MX server certificate fingerprint unless google provides it. Even if they provide it, if google change their certificate for security reasons in the future, then that's gonna break millions of domains that depends on Google mail servers. So that would be a poor design.
If I'm not wrong Google is against DNSSEC. So there is no way they are gonna configure DANE records like this.
Hopefully, That is one of the reason why MTA-STS got introduced.
Even if I love DNSSEC and support it in my domain, Google sets the rules here since I'm relying on their mail hosting. I have no other way, other than supporting MTA-STS since google is against DNSSEC.
My solution is vulnerable to MiTM without DNSSEC. I guess I should update my proposal saying DNSSEC mandatory. But if you believe the prefix solution itself flawed, the what's the point.
Thanks for the input. Those are all very helpful comments.