IETF Logo Mail Archive

Re: [dane] DANE for MX host via insecure MX RR?

Michael Ströder <michael@stroeder.com> Thu, 10 September 2015 16:31 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2801E1B3D29 for <dane@ietfa.amsl.com>; Thu, 10 Sep 2015 09:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.187
X-Spam-Level:
X-Spam-Status: No, score=0.187 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, J_CHICKENPOX_15=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kozDQsXH-SbU for <dane@ietfa.amsl.com>; Thu, 10 Sep 2015 09:31:55 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC4FA1B3CD3 for <dane@ietf.org>; Thu, 10 Sep 2015 09:31:54 -0700 (PDT)
Received: from srv4.stroeder.local (unknown [10.1.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer "stroeder.com Server CA no. 2009-07" (verified OK)) by srv1.stroeder.com (Postfix) with ESMTPS id E904D1CF28 for <dane@ietf.org>; Thu, 10 Sep 2015 16:31:51 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local [10.1.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id 875BB1CE87 for <dane@ietf.org>; Thu, 10 Sep 2015 16:31:50 +0000 (UTC)
To: dane@ietf.org
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <20150824031926.GF9021@mournblade.imrryr.org>
From: Michael Ströder <michael@stroeder.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55F1B075.5060809@stroeder.com>
Date: Thu, 10 Sep 2015 18:31:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 SeaMonkey/2.35
MIME-Version: 1.0
In-Reply-To: <20150824031926.GF9021@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040304020509050601050904"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/Awn-OWEeEQGUEqg8kR1hAn80VNA>
Subject: Re: [dane] DANE for MX host via insecure MX RR?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2015 16:31:57 -0000

Viktor Dukhovni wrote:
> On Sun, Aug 23, 2015 at 07:29:50PM +0200, Patrik F?ltstr?m wrote:
> 
>> If not, we will get absolutely zero deployment of DANE with SMTP as we
>> will never get 100% DNSSEC deployment.
> 
> We already have non-zero deployment, in fact ~2000 domains now, and
> soon gmx.de and web.de as announced last week.
> 
> I think this thread needs to end, or else needs a more relevant
> (to this WG) reboot.
> 
> If you want to propose an update that requires SMTP clients to
> employ DANE TLSA verification of MX hosts in signed zones even when
> the MX RRset was not "secure", read the previous discussion of this
> question in the list archives (yes, it has come up before) and make
> a clear-cut proposal with as solid a rationale as you can.  
> 
> I am not sure this can get enough support to reach "rough consensus",
> but I'm open to the possibility.

Without a signed MX there's no cryptographically secured binding between the
recipient domain (right address part) and the public key used for TLS authc.

So I'm strictly against this possibility and the developers of a MTA I spoke
with today are also strongly against this.

@Patrik: Deploying DNSSEC/DANE at large scale is not an easy job. If you drop
the requirement for signed MX RRs DANE would not be worth the effort to be
implemented.

Ciao, Michael.

v2.23.0 | Report a Bug | By Email