Re: [dane] Digest Algorithm Agility discussion

Wes Hardaker <wjhns1@hardakers.net> Mon, 24 March 2014 15:37 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37C71A0238 for <dane@ietfa.amsl.com>; Mon, 24 Mar 2014 08:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.355
X-Spam-Level: **
X-Spam-Status: No, score=2.355 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.793] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tds5Zqso7abz for <dane@ietfa.amsl.com>; Mon, 24 Mar 2014 08:37:09 -0700 (PDT)
Received: from mail.hardakers.net (unknown [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id B1ED41A023C for <dane@ietf.org>; Mon, 24 Mar 2014 08:37:09 -0700 (PDT)
Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id A6923257FA; Mon, 24 Mar 2014 08:37:08 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Paul Wouters <paul@nohats.ca>
References: <0l4n2sa5a0.fsf@wjh.hardakers.net> <20140322074737.GA5739@anguilla.noreply.org> <20140323174205.63C6111B2111@rock.dv.isc.org> <20140323182106.GX24183@mournblade.imrryr.org> <20140323185718.7A84711B2CB8@rock.dv.isc.org> <20140323191037.GA1469@anguilla.noreply.org> <20140323192557.7716111B342A@rock.dv.isc.org> <20140323200008.GB1469@anguilla.noreply.org> <20140323202831.GB13649@mournblade.imrryr.org> <20140323230125.EF23411B4816@rock.dv.isc.org> <20140323235727.GC13649@mournblade.imrryr.org> <alpine.LFD.2.10.1403241052240.18937@bofh.nohats.ca>
Date: Mon, 24 Mar 2014 08:37:08 -0700
In-Reply-To: <alpine.LFD.2.10.1403241052240.18937@bofh.nohats.ca> (Paul Wouters's message of "Mon, 24 Mar 2014 10:54:35 -0400 (EDT)")
Message-ID: <0l4n2nbobf.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/-p3L6caj914i1ekVIEszG022Ql8
Cc: dane@ietf.org
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 15:37:11 -0000

Paul Wouters <paul@nohats.ca>; writes:

> On Sun, 23 Mar 2014, Viktor Dukhovni wrote:
>
>> when the TLSA records are entirely unusable, and in keeping with Tony's
>> original work on the SRV draft, the client reverts to legacy
>> mandatory (practically always unauthenticated) TLS.
>
> That's unfortunate. Perhaps it depends on the definition of "unusable",
> but if all TLSA records for instance fail the RRSIG validation, I would
> hope that postfix would abort delivery attempts and definately _not_
> fallback to unauthenticated TLS.

Yes, this is the case Paul (no need to worry).

>From 6698:

     // unusable records include unknown certUsage, unknown
     // selectorType, unknown matchingType, erroneous RDATA, and
     // prohibited by local policy

Within the SMTP draft, DNSSEC and, for that matter, any DNS error
indicates a full stop with that MX host.  It'll try other hosts, and if
they're broken too then delay.

The unusable indicates "I can't understand the TLSA record for some
reason", not "the hash didn't match" or "was not validated".
-- 
Wes Hardaker
Parsons