Re: [dane] srv-09 comments
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 18 February 2015 00:18 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FD41A88A4 for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 16:18:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvo5A69cOW4G for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 16:18:44 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E43E1A8892 for <dane@ietf.org>; Tue, 17 Feb 2015 16:18:44 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4BBFE282F4B; Wed, 18 Feb 2015 00:18:43 +0000 (UTC)
Date: Wed, 18 Feb 2015 00:18:43 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150218001843.GV1260@mournblade.imrryr.org>
References: <20150216170123.GR1260@mournblade.imrryr.org> <54E22A70.8050705@cisco.com> <20150216180813.GT1260@mournblade.imrryr.org> <54E265A3.8040201@cisco.com> <1936971F-ED29-45AD-8683-E449DC9330F8@ogud.com> <20150217231212.GT1260@mournblade.imrryr.org> <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/H3tjgDJC7NetDqp3_GOKEpWP0Pc>
Subject: Re: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:18:46 -0000
On Tue, Feb 17, 2015 at 06:46:13PM -0500, Paul Wouters wrote:
> Why does postfix care about the security of the A/CNAME results before
> asking for TLSA records?
Because "nist.gov" would otherwise receive no email:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18665
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;nist.gov. IN MX
nist.gov. MX 0 nist-gov.mail.protection.outlook.com.
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53098
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA
The nameservers for the unsigned zone of nist.gov's MX hosts are
allergic to TLSA queries. They return "NOTIMPL" instead of:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.nist-gov.mail.protection.outlook.com. IN A
You can try it for yourself
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37877
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;mail.protection.outlook.com. IN NS
mail.protection.outlook.com. NS ns1-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. NS ns2-proddns.glbdns.o365filtering.com.
$ dig +norecur +dnssec +noall +comment +qu -t tlsa _25._tcp.nist-gov.mail.protection.outlook.com. @ns1-proddns.glbdns.o365filtering.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 19776
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'
$ dig +norecur +nodnssec +noedns +noall +comment -t tlsa _25._tcp.nist-gov.mail.protection.outlook.com. @ns1-proddns.glbdns.o365filtering.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 56709
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
This was discussed quite some time ago, and has been in the SMTP
draft since. The domain "nist.gov" is not a comprehensive list of
problem domains. The SMTP draft avoids sending queries for "exotic"
RR-types to "minimal" nameservers that don't support DNSSEC.
> Why isn't it asking for TLSA records, and if those are secure, don't
> care about the AD bit for the A/AAAA/CNAME.
Because those queries would all too often spuriously fail, and with
"discovery" of TLS support (opportunistic DANE TLS), would lead to
loss of connectivity, since the failures are indistinguishable from
downgrade attacks.
--
Viktor.
- Re: [dane] srv-09 comments Viktor Dukhovni
- [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Olafur Gudmundsson
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Paul Wouters
- Re: [dane] srv-09 comments Mark Andrews
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Mark Andrews