IETF Logo Mail Archive

Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)

Mark Andrews <marka@isc.org> Tue, 26 May 2015 01:33 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD171A6EFB; Mon, 25 May 2015 18:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TAXoDpqFI21K; Mon, 25 May 2015 18:33:18 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AA061A6EF0; Mon, 25 May 2015 18:33:18 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 52FC8349422; Tue, 26 May 2015 01:33:16 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9D75E160053; Tue, 26 May 2015 01:33:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 81636160087; Tue, 26 May 2015 01:33:41 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OQFk6cLRdrVw; Tue, 26 May 2015 01:33:41 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id EDE25160053; Tue, 26 May 2015 01:33:40 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 55BD02F51464; Tue, 26 May 2015 11:33:13 +1000 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20150524204121.31745.72546.idtracker@ietfa.amsl.com> <20150525020430.GK17272@mournblade.imrryr.org> <841AFD92-8615-43BF-98B4-48770FA72235@ogud.com> <20150526000338.D70AC2F50D87@rock.dv.isc.org> <alpine.LFD.2.11.1505252020130.5996@bofh.nohats.ca>
In-reply-to: Your message of "Mon, 25 May 2015 20:31:23 -0400." <alpine.LFD.2.11.1505252020130.5996@bofh.nohats.ca>
Date: Tue, 26 May 2015 11:33:12 +1000
Message-Id: <20150526013313.55BD02F51464@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/8g20qmwncZ-NB75Zp1vcFNQYrEE>
Cc: draft-ietf-dane-smtp-with-dane@ietf.org, The IESG <iesg@ietf.org>, dane WG list <dane@ietf.org>
Subject: Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 01:33:20 -0000

In message <alpine.LFD.2.11.1505252020130.5996@bofh.nohats.ca>, Paul Wouters wr
ites:
> On Tue, 26 May 2015, Mark Andrews wrote:
> 
> > In addition it is just plain pointless to do the lookup.
> >
> > If the A/AAAA is insecure the TLSA lookup will be insecure due to
> > there being not DNSSEC trusted path the TLSA node.
> 
> I don't understand this. Wether the A/AAA is spoofed or someone
> with sufficient power to redirect routing of that range to them
> is the same thing. So even if the A/AAAA were trusted by DNSSEC,
> you don't know if you are talking to the real or rogue servers
> in that IP.

If the A/AAAA result is secure you do the TLSA lookup.
 
> >  You can't prove
> > whether the server was supposed to offer STARTTLS or not.
> 
> Yes you can? The presence of TLSA means you MUST do STARTTLS,
> and not downgrade to plaintext. Sure, it can be spoofed but
> you're not posting anything signed with DNSSEC, you're not
> losing any security here?

If the answer is INSECURE you can't prove the TLSA exists.  The
MUST only applies if you get a SECURE response to the TLSA record
which will not happen if the A/AAAA response is insecure.

> >  Faked answers can "prove" either assertion.
> 
> Sure. Not signing will not help against active attacks. But publishing
> unsigned could help you agaisnt passive attacks.

And you can tell the difference how?

Spoofed affirmative TLSA responses can lead to a DoS if they are
accepted either because the server does not offer STARTTLS or the
TLSA does not match the CERT offered.

> > as the answer will be insecure.  SMTP servers can already be
> > configured to accept CERTS where you don't have a trust anchor for
> > that server if you just want to have a encrypted stream to stop
> > casual snooping of traffic and the server happens to say it supports
> > STARTTLS.
> 
> That is true. You don't win much by an out-of-band insecure TLSA lookup.
> 
> > The main reason for not doing the lookup is that it is pointless
> > (see above).  The very much secondary reason for not doing the
> > lookup is that there is a very small percentage of servers that
> > mishandle TLSA lookups.  SMTP servers are going to have to handle
> > these broken servers once they get secure A/AAAA responses.
> 
> If broken servers are indistinguishable from an attack, then it is
> an attack, and things should break. (yes spoken without operator hat on)
> 
> >>> When the MX RRset is secure, but the A/AAAA records are insecure,
> >>> no TLSA lookup takes place.  I think that proceeding with (soft-fail)
> >>> TLSA lookups when the MX RRset is insecure invites implementation
> >>> errors.
> 
> I don't like that because I would like to be able to publish TLSA
> records in my nohats.ca zone pointing to some mail service I use
> that uses certificates but are not themselves dnssec signed. eg:
> 
> nohats.ca. IN MX 5 mail.insecure-bigmail.com.
> nohats.ca. IN TLSA <blob>

Which no SMTP client will lookup.  Much better to write to their
support@ address and say you are moving your email to someone that
supports TLSA if they don't add the records with <reasonable period>
them carry through with the threat if they don't.  There is nothing
stopping any SMTP service operator configuring and signing TLSA
records other than pigheadedness on the part of the operator.

> As for insecure TLSA records themselves, while I would prefer we
> would use them in a better-than-nothing sense, I am more fearful of
> implementations just not bothering or forgetting to check for DNSSEC
> and blindly trusting these. So I think it is more clear to just say
> ignore insecure TLSA records.

Except they are not better-than-nothing.  Using them requires that
you deal with the failure modes of dealing with them.  They introduce
their own new threats.  They also don't enhance security.

Ignoring them doesn't prevent opportunic use of STARTTLS.  

> Paul
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email