[dane] icann.org DANE SMTP?
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 17 January 2015 05:56 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BB7A1A9163 for <dane@ietfa.amsl.com>; Fri, 16 Jan 2015 21:56:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4mH4TMrqZqu for <dane@ietfa.amsl.com>; Fri, 16 Jan 2015 21:56:44 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BF141A9145 for <dane@ietf.org>; Fri, 16 Jan 2015 21:56:43 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3A9B2284B0A; Sat, 17 Jan 2015 05:56:42 +0000 (UTC)
Date: Sat, 17 Jan 2015 05:56:42 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150117055642.GP29286@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/8DR-rTZ2KqWRhChWrZWTdY5Lq7Q>
Subject: [dane] icann.org DANE SMTP?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 05:56:46 -0000
Anyone have appropriate contacts at icann.org to encourage them to dogfood DANE TLSA RRs for their SMTP servers? A quick scan of the DNS and MX hosts shows that icann.org and all its MX hosts (A/AAAA records) are DNSSEC validated, but none of the MX hosts offer STARTTLS: icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1 pechora1.icann.org. IN A 192.0.33.71 ; smtperr: STARTTLS not offered pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr: STARTTLS not offered icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1 pechora3.icann.org. IN A 192.0.33.73 ; smtperr: STARTTLS not offered pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr: STARTTLS not offered icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1 pechora4.icann.org. IN A 192.0.33.74 ; smtperr: STARTTLS not offered pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr: STARTTLS not offered icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1 pechora5.icann.org. IN A 192.0.46.71 ; smtperr: STARTTLS not offered pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr: STARTTLS not offered icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1 pechora7.icann.org. IN A 192.0.46.73 ; smtperr: STARTTLS not offered pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr: STARTTLS not offered icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1 pechora8.icann.org. IN A 192.0.46.74 ; smtperr: STARTTLS not offered pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr: STARTTLS not offered Sure looks like Sendmail with STARTTLS not enabled: posttls-finger: Connected to pechora1.icann.org[192.0.33.71]:25 posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail 8.13.8/8.13.8; Sat, 17 Jan 2015 05:48:31 GMT posttls-finger: > EHLO amnesiac.local posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local [192.0.2.1], pleased to meet you posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-8BITMIME posttls-finger: < 250-SIZE posttls-finger: < 250-DSN posttls-finger: < 250-ETRN posttls-finger: < 250-DELIVERBY posttls-finger: < 250 HELP posttls-finger: > QUIT posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection all they have to do is enable STARTTLS and publish TLSA RRs. Either some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's TLSA RRset to a shared location where the trust-anchor IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest> TLSA RRset is defined, or a different self-signed certificate for each MX host with per-host IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest> records. We got there for ietf.org, and I think icann.org should set a similar example. People reasonably seem to expect them to, based on frequent tests for icann.org at https://dane.sys4.de/ Do what you say and all that... -- Viktor.
- [dane] icann.org DANE SMTP? Viktor Dukhovni
- Re: [dane] icann.org DANE SMTP? Terry Manderson