IETF Logo Mail Archive

Re: [dane] making ietf.org eat the DANE dogfood

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 23 May 2013 04:30 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 185A411E8145 for <dane@ietfa.amsl.com>; Wed, 22 May 2013 21:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHklGjIDS5Nc for <dane@ietfa.amsl.com>; Wed, 22 May 2013 21:30:13 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id D706B11E813B for <dane@ietf.org>; Wed, 22 May 2013 21:30:12 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EFA852AB9D5; Thu, 23 May 2013 04:30:11 +0000 (UTC)
Date: Thu, 23 May 2013 04:30:11 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130523043011.GJ25080@mournblade.imrryr.org>
References: <519BD393.7020302@ieca.com> <519BD433.6090609@stpeter.im> <519CA48B.4060903@cs.tcd.ie> <20130522124116.GD582@mournblade.imrryr.org> <alpine.LFD.2.10.1305230019350.22566@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1305230019350.22566@bofh.nohats.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] making ietf.org eat the DANE dogfood
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 04:30:23 -0000

On Thu, May 23, 2013 at 12:21:02AM -0400, Paul Wouters wrote:

> On Wed, 22 May 2013, Viktor Dukhovni wrote:
> 
> >So this is a good time to deploy server TLSA records:
> >
> >   ; SHA256 digest of public key or full certificate.
> >   mail.example.com. IN TLSA 3 1 1 ...
> >   mail.example.com. IN TLSA 3 0 1 ...
> >
> >   ; Or SHA256 of issuing trust-anchor CA public key.  With the trust-anchor
> >   ; issuer certificate included in the server chain file!
> >   ;
> >   mail.example.com. IN TLSA 2 1 1 ...
> >   mail.example.com. IN TLSA 2 0 1 ...
> 
> Would these be better located at _25._tcp.mail.example.com ? :)

Responding as a matter of courtesy rather than necessity.  Yes, of
course!  Anyway, if anyone knows the sysadmins who operate mail.ietf.org,
please nudge them to enable STARTTLS and publish TLSA RRs.

The DNSSEC signature is already in place:

    $ drill -D -t mx ietf.org
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64505
    ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 8
    ;; QUESTION SECTION:
    ;; ietf.org.    IN      MX

    ;; ANSWER SECTION:
    ietf.org.       1800    IN      MX      0 mail.ietf.org.
    ietf.org.       1800    IN      RRSIG   MX ...copious line noise...

https://xkcd.com/1181/

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email