[dane] icann.org DANE SMTP?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 17 January 2015 05:56 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5BB7A1A9163 for <dane@ietfa.amsl.com>; Fri, 16 Jan 2015 21:56:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id s4mH4TMrqZqu for <dane@ietfa.amsl.com>; Fri, 16 Jan 2015 21:56:44 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BF141A9145 for <dane@ietf.org>; Fri, 16 Jan 2015 21:56:43 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3A9B2284B0A; Sat, 17 Jan 2015 05:56:42 +0000 (UTC)
Date: Sat, 17 Jan 2015 05:56:42 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150117055642.GP29286@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/8DR-rTZ2KqWRhChWrZWTdY5Lq7Q>
Subject: [dane] icann.org DANE SMTP?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 05:56:46 -0000

Anyone have appropriate contacts at icann.org to encourage them
to dogfood DANE TLSA RRs for their SMTP servers?

A quick scan of the DNS and MX hosts shows that icann.org and all
its MX hosts (A/AAAA records) are DNSSEC validated, but none of
the MX hosts offer STARTTLS:

    icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1
    pechora1.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1
    pechora3.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1
    pechora4.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1
    pechora5.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1
    pechora7.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr: STARTTLS not offered
    icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1
    pechora8.icann.org. IN A ; smtperr: STARTTLS not offered
    pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr: STARTTLS not offered

Sure looks like Sendmail with STARTTLS not enabled:

    posttls-finger: Connected to pechora1.icann.org[]:25
    posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail 8.13.8/8.13.8; Sat, 17 Jan 2015 05:48:31 GMT
    posttls-finger: > EHLO amnesiac.local
    posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local [], pleased to meet you
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-DSN
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-DELIVERBY
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection

all they have to do is enable STARTTLS and publish TLSA RRs.  Either
some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's
TLSA RRset to a shared location where the trust-anchor 

    IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest>

TLSA RRset is defined, or a different self-signed certificate for
each MX host with per-host

    IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest>

records.  We got there for ietf.org, and I think icann.org should
set a similar example.  People reasonably seem to expect them to,
based on frequent tests for icann.org at https://dane.sys4.de/

Do what you say and all that...