Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 21 November 2013 17:29 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F221AE21E for <dane@ietfa.amsl.com>; Thu, 21 Nov 2013 09:29:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_14=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pJsc5lgcEby for <dane@ietfa.amsl.com>; Thu, 21 Nov 2013 09:29:42 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 0E7C91AE21A for <dane@ietf.org>; Thu, 21 Nov 2013 09:29:41 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4CCB02AB155; Thu, 21 Nov 2013 17:29:34 +0000 (UTC)
Date: Thu, 21 Nov 2013 17:29:34 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131121172934.GS761@mournblade.imrryr.org>
References: <20131120212813.GJ761@mournblade.imrryr.org> <m361rl3cnk.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m361rl3cnk.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 17:29:43 -0000
On Thu, Nov 21, 2013 at 12:08:38PM -0500, James Cloos wrote: > Given insecure a/aaaa results, it is reasonable to presume that tlsa > resaults also will be insecure. Thanks, this is on the list for inclusion in the OPS and SMTP drafts. > Avoiding the tlsa lookup has the downside of serializing the requests, > but that appears to be necessary in the face of b0rked auth servers. Yes, though for Postfix the serialization is unavoidable, TLS policy is loaded one MX destination at a time (in preparation for delivery to that destination), after the network address is already in hand. [ The network address is needed early for loop elimination. Postfix determines whether it is an MX host for the destination by comparing network addresses, not hostnames. Therefore the network addresses of all equal-preference hosts need to be available, before delivery to any host at that preference. Hence the $proxy_interfaces parameter for MX hosts behind a NAT. ] Also Postfix + DANE requires a validating resolver on the loopback interface, so latency is a bit less of a concern, at least for high-volume destinations where the local cache amortises lookup latency. -- Viktor.
- [dane] TLSA lookup impedance mismatch with bare-b… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Martin Rex
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… James Cloos
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni