Re: [dane] namespace management, DANE Client Authentication draft updated

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 13 January 2016 06:01 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4640F1A1A56 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 22:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cdHF6nN5Wwz for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ABC41A1A52 for <dane@ietf.org>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8ADC0284AED; Wed, 13 Jan 2016 06:01:02 +0000 (UTC)
Date: Wed, 13 Jan 2016 06:01:02 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160113060102.GK18704@mournblade.imrryr.org>
References: <CAHPuVdVAV8zny6OTx0HAvWrTKG7-EJa-xDM6cm72Z=aq-a+GzA@mail.gmail.com> <20160113054109.54762.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160113054109.54762.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/9F88ner90uy_FiprT6-vVk7ZF0c>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 06:01:05 -0000

On Wed, Jan 13, 2016 at 05:41:09AM -0000, John Levine wrote:

> I admire the faith you have in DNS operators, but find it baffling.
> For a lot of the ones I know, their heads would explode at having to
> mix TXT SPF records for the incoming mail and TLSA for the outgoing
> mail at the same names in the same zone files.  They'd probably try
> to kludge it with CNAME and break everything.

The TXT SPF records will be a the zone apex.  The _smtp-client (or
just _smtp) prefix will be for each client MTA!  There's little
opportunity for collisions, except at domains with just a single
node at the zone apex holding all the records and not even using
a hostname under the domain for outgoing connections as a mail
client.  If that domain operator needs CNAMES for the client
TLSA record (to where???) they can create a suitable sub-domain
for the client name.

	; zone apex MX record
	example.com. IN MX 0 smtp.example.com.

	; zone apex SPF record
	_spf.example.com. IN TXT ...

	; MX host A record
	smtp.example.com. IN A 192.0.2.1[

	; SMTP client
	_smtp.smtp.example.com. IN TLSA 3 1 1 ...

	; SMTP server
	_25._tcp.smtp.example.com. IN CNAME _smtp.smtp.eample.com.

	
> We already have a managed service namespace, which you can use with
> trivial ease as _<service>._client._tcp.<domain>.  But I'm hearing no,
> to save 12 characters in the domain name, and 12 lines of code in the
> clients, we'll tell people to make up random prefixed names and when
> the collisions inevitably happen, it won't be our problem.

It is zero extra lines of code, but what do these extra bytes buy us?

-- 
	Viktor.