[dane] icann.org DANE SMTP?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 17 January 2015 05:56 UTC

Date: Sat, 17 Jan 2015 05:56:42 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150117055642.GP29286@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/8DR-rTZ2KqWRhChWrZWTdY5Lq7Q>
Subject: [dane] icann.org DANE SMTP?
Precedence: list
Reply-To: dane@ietf.org

Anyone have appropriate contacts at icann.org to encourage them
to dogfood DANE TLSA RRs for their SMTP servers?

A quick scan of the DNS and MX hosts shows that icann.org and all
its MX hosts (A/AAAA records) are DNSSEC validated, but none of
the MX hosts offer STARTTLS:

    icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1
    pechora1.icann.org. IN A 192.0.33.71 ; smtperr: STARTTLS not offered
    pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1
    pechora3.icann.org. IN A 192.0.33.73 ; smtperr: STARTTLS not offered
    pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1
    pechora4.icann.org. IN A 192.0.33.74 ; smtperr: STARTTLS not offered
    pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1
    pechora5.icann.org. IN A 192.0.46.71 ; smtperr: STARTTLS not offered
    pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1
    pechora7.icann.org. IN A 192.0.46.73 ; smtperr: STARTTLS not offered
    pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1
    pechora8.icann.org. IN A 192.0.46.74 ; smtperr: STARTTLS not offered
    pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr: STARTTLS not offered

Sure looks like Sendmail with STARTTLS not enabled:

    posttls-finger: Connected to pechora1.icann.org[192.0.33.71]:25
    posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail 8.13.8/8.13.8; Sat, 17 Jan 2015 05:48:31 GMT
    posttls-finger: > EHLO amnesiac.local
    posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local [192.0.2.1], pleased to meet you
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-DSN
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-DELIVERBY
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection

all they have to do is enable STARTTLS and publish TLSA RRs.  Either
some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's
TLSA RRset to a shared location where the trust-anchor 

    IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest>

TLSA RRset is defined, or a different self-signed certificate for
each MX host with per-host

    IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest>

records.  We got there for ietf.org, and I think icann.org should
set a similar example.  People reasonably seem to expect them to,
based on frequent tests for icann.org at https://dane.sys4.de/

Do what you say and all that...

-- 
	Viktor.

[dane] icann.org DANE SMTP? Viktor Dukhovni
Re: [dane] icann.org DANE SMTP? Terry Manderson