Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 20 November 2013 23:45 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3460E1AE5B6 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 15:45:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcXV2t6MAcfC for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 15:45:02 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 100FA1AE5C5 for <dane@ietf.org>; Wed, 20 Nov 2013 15:45:00 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D723A2AB14D; Wed, 20 Nov 2013 23:44:53 +0000 (UTC)
Date: Wed, 20 Nov 2013 23:44:53 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131120234453.GM761@mournblade.imrryr.org>
References: <20131120212813.GJ761@mournblade.imrryr.org> <20131120224852.A2886AA9D22@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20131120224852.A2886AA9D22@rock.dv.isc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 23:45:04 -0000
On Thu, Nov 21, 2013 at 09:48:52AM +1100, Mark Andrews wrote: > hostmaster@nist.gov > your choice of mail handler provider is causing operational > problem. Thanks, I've already notified NIST off-list. Any comments on the work-around (avoiding TLSA lookup when the base-domain's A or AAAA record is "insecure")? > > $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com. > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > > > so clearly whatever DNS load-balancing kit is responsible for > > mail.protection.outlook.com (the problem happens for all names > > from this domain down) has a rather incomplete DNS implementation. > > Yep, it returns NOTIMP and the developers didn't think about what > the correct response to a query type that you don't load should be. If this is useful to anyone, the DNS servers in question are: mail.protection.outlook.com. IN NS ns1-proddns.glbdns.o365filtering.com. mail.protection.outlook.com. IN NS ns2-proddns.glbdns.o365filtering.com. delegated from: protection.outlook.com. IN NS ns2-gtm.glbdns.o365filtering.com. protection.outlook.com. IN NS ns1-gtm.glbdns.o365filtering.com. the latter don't appear to exhibit the problem. > RFC 103[45] say what to return if the name exists and > the type doesn't and it isn't NOTIMP. In this case the name does not exist, so the nameserver should be returning NXDOMAIN, but it snatches defeat from the jaws of victory and indeed returns "NOTIMP": ; <<>> DiG 9.8.0rc1 <<>> +norecur -t TYPE52 _25._tcp.mail.protection.outlook.com. @ns1-proddns.glbdns.o365filtering.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 4960 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 which 8.8.8.8 relayed as SERVFAIL. If there is someone from Microsoft on this list, please forward a pointer to thread to the appropriate interested parties. -- Viktor.
- [dane] TLSA lookup impedance mismatch with bare-b… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Martin Rex
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… James Cloos
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni