Re: [dane] DNS errors text

Viktor Dukhovni <> Thu, 02 October 2014 03:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8699A1A0034 for <>; Wed, 1 Oct 2014 20:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EPZydcTS6kq8 for <>; Wed, 1 Oct 2014 20:18:02 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF08E1A000A for <>; Wed, 1 Oct 2014 20:18:02 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 822C42AB2B5; Thu, 2 Oct 2014 03:18:00 +0000 (UTC)
Date: Thu, 02 Oct 2014 03:18:00 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] DNS errors text
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Oct 2014 03:18:04 -0000

On Wed, Oct 01, 2014 at 07:13:17PM -0700, Paul Hoffman wrote:
> On Oct 1, 2014, at 7:01 PM, Peter Saint-Andre - &yet <> wrote:
> > Section 2.1 of draft-ietf-dane-smtp-with-dane has some thorough text on DNS errors. Viktor suggested that draft-ietf-dane-srv needs the same text. I would strongly prefer NOT to have the same text in two documents for various reasons. When I mentioned this to the chairs, they suggested moving the text from the SMTP document to the SRV document since it is more generic. I don't really care where it lives, I just want it to be in one place. What do WG participants think?
> As long as the SMTP document points to the SRV document for the
> errors, it's fine to have it live in the SRV document.

The main issue that comes to mind is that the SRV draft is at
present silent about whether DANE security is opportunistic or
mandatory.  Some of the error text is IIRC specific to the
opportunistic mode of operation, because this comes more ways to
attempt to mount downgrade attacks.

I don't think the SRV draft should sit on the fence with respect
to opportunistic use.  It probably needs to describe both modes of
operation explicitly.

Otherwise, yes I have no problem importing the DNS error handling
by referehce, but I also see little disadvantage to simply repeating
the text, one stop shopping is easier on the reader.