Re: [dane] namespace management, DANE Client Authentication draft updated

Viktor Dukhovni <> Wed, 13 January 2016 06:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4640F1A1A56 for <>; Tue, 12 Jan 2016 22:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8cdHF6nN5Wwz for <>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9ABC41A1A52 for <>; Tue, 12 Jan 2016 22:01:03 -0800 (PST)
Received: by (Postfix, from userid 1034) id 8ADC0284AED; Wed, 13 Jan 2016 06:01:02 +0000 (UTC)
Date: Wed, 13 Jan 2016 06:01:02 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <20160113054109.54762.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160113054109.54762.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2016 06:01:05 -0000

On Wed, Jan 13, 2016 at 05:41:09AM -0000, John Levine wrote:

> I admire the faith you have in DNS operators, but find it baffling.
> For a lot of the ones I know, their heads would explode at having to
> mix TXT SPF records for the incoming mail and TLSA for the outgoing
> mail at the same names in the same zone files.  They'd probably try
> to kludge it with CNAME and break everything.

The TXT SPF records will be a the zone apex.  The _smtp-client (or
just _smtp) prefix will be for each client MTA!  There's little
opportunity for collisions, except at domains with just a single
node at the zone apex holding all the records and not even using
a hostname under the domain for outgoing connections as a mail
client.  If that domain operator needs CNAMES for the client
TLSA record (to where???) they can create a suitable sub-domain
for the client name.

	; zone apex MX record IN MX 0

	; zone apex SPF record IN TXT ...

	; MX host A record IN A[

	; SMTP client IN TLSA 3 1 1 ...

	; SMTP server IN CNAME

> We already have a managed service namespace, which you can use with
> trivial ease as _<service>._client._tcp.<domain>.  But I'm hearing no,
> to save 12 characters in the domain name, and 12 lines of code in the
> clients, we'll tell people to make up random prefixed names and when
> the collisions inevitably happen, it won't be our problem.

It is zero extra lines of code, but what do these extra bytes buy us?