Re: [dane] namespace management, DANE Client Authentication draft updated
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 13 January 2016 06:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4640F1A1A56 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 22:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cdHF6nN5Wwz for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ABC41A1A52 for <dane@ietf.org>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8ADC0284AED; Wed, 13 Jan 2016 06:01:02 +0000 (UTC)
Date: Wed, 13 Jan 2016 06:01:02 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160113060102.GK18704@mournblade.imrryr.org>
References: <CAHPuVdVAV8zny6OTx0HAvWrTKG7-EJa-xDM6cm72Z=aq-a+GzA@mail.gmail.com> <20160113054109.54762.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160113054109.54762.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/9F88ner90uy_FiprT6-vVk7ZF0c>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 06:01:05 -0000
On Wed, Jan 13, 2016 at 05:41:09AM -0000, John Levine wrote: > I admire the faith you have in DNS operators, but find it baffling. > For a lot of the ones I know, their heads would explode at having to > mix TXT SPF records for the incoming mail and TLSA for the outgoing > mail at the same names in the same zone files. They'd probably try > to kludge it with CNAME and break everything. The TXT SPF records will be a the zone apex. The _smtp-client (or just _smtp) prefix will be for each client MTA! There's little opportunity for collisions, except at domains with just a single node at the zone apex holding all the records and not even using a hostname under the domain for outgoing connections as a mail client. If that domain operator needs CNAMES for the client TLSA record (to where???) they can create a suitable sub-domain for the client name. ; zone apex MX record example.com. IN MX 0 smtp.example.com. ; zone apex SPF record _spf.example.com. IN TXT ... ; MX host A record smtp.example.com. IN A 192.0.2.1[ ; SMTP client _smtp.smtp.example.com. IN TLSA 3 1 1 ... ; SMTP server _25._tcp.smtp.example.com. IN CNAME _smtp.smtp.eample.com. > We already have a managed service namespace, which you can use with > trivial ease as _<service>._client._tcp.<domain>. But I'm hearing no, > to save 12 characters in the domain name, and 12 lines of code in the > clients, we'll tell people to make up random prefixed names and when > the collisions inevitably happen, it won't be our problem. It is zero extra lines of code, but what do these extra bytes buy us? -- Viktor.
- [dane] DANE Client Authentication draft updated Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… James Cloos
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Kim Alvefur
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John R Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Wiley, Glen
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Sandoche Balakrichenan
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque