Re: [dane] Digest Algorithm Agility discussion

Wes Hardaker <wjhns1@hardakers.net> Mon, 24 March 2014 15:37 UTC

From: Wes Hardaker <wjhns1@hardakers.net>
To: Paul Wouters <paul@nohats.ca>
References: <0l4n2sa5a0.fsf@wjh.hardakers.net> <20140322074737.GA5739@anguilla.noreply.org> <20140323174205.63C6111B2111@rock.dv.isc.org> <20140323182106.GX24183@mournblade.imrryr.org> <20140323185718.7A84711B2CB8@rock.dv.isc.org> <20140323191037.GA1469@anguilla.noreply.org> <20140323192557.7716111B342A@rock.dv.isc.org> <20140323200008.GB1469@anguilla.noreply.org> <20140323202831.GB13649@mournblade.imrryr.org> <20140323230125.EF23411B4816@rock.dv.isc.org> <20140323235727.GC13649@mournblade.imrryr.org> <alpine.LFD.2.10.1403241052240.18937@bofh.nohats.ca>
Date: Mon, 24 Mar 2014 08:37:08 -0700
In-Reply-To: <alpine.LFD.2.10.1403241052240.18937@bofh.nohats.ca> (Paul Wouters's message of "Mon, 24 Mar 2014 10:54:35 -0400 (EDT)")
Message-ID: <0l4n2nbobf.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/-p3L6caj914i1ekVIEszG022Ql8
Cc: dane@ietf.org
Subject: Re: [dane] Digest Algorithm Agility discussion
Precedence: list

Paul Wouters <paul@nohats.ca> writes:

> On Sun, 23 Mar 2014, Viktor Dukhovni wrote:
>
>> when the TLSA records are entirely unusable, and in keeping with Tony's
>> original work on the SRV draft, the client reverts to legacy
>> mandatory (practically always unauthenticated) TLS.
>
> That's unfortunate. Perhaps it depends on the definition of "unusable",
> but if all TLSA records for instance fail the RRSIG validation, I would
> hope that postfix would abort delivery attempts and definately _not_
> fallback to unauthenticated TLS.

Yes, this is the case Paul (no need to worry).

>From 6698:

     // unusable records include unknown certUsage, unknown
     // selectorType, unknown matchingType, erroneous RDATA, and
     // prohibited by local policy

Within the SMTP draft, DNSSEC and, for that matter, any DNS error
indicates a full stop with that MX host.  It'll try other hosts, and if
they're broken too then delay.

The unusable indicates "I can't understand the TLSA record for some
reason", not "the hash didn't match" or "was not validated".
-- 
Wes Hardaker
Parsons

[dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Martin Rex
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Jim Schaad
Re: [dane] Digest Algorithm Agility discussion (c… Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion (c… Andrew Sullivan
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker