Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <> Mon, 24 March 2014 15:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 94DD71A01C6 for <>; Mon, 24 Mar 2014 08:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FBYbifsKwTAv for <>; Mon, 24 Mar 2014 08:33:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 416E21A01B9 for <>; Mon, 24 Mar 2014 08:33:48 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 110BD2AB250; Mon, 24 Mar 2014 15:33:46 +0000 (UTC)
Date: Mon, 24 Mar 2014 15:33:46 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Digest Algorithm Agility discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Mar 2014 15:33:50 -0000

On Mon, Mar 24, 2014 at 10:54:35AM -0400, Paul Wouters wrote:

> On Sun, 23 Mar 2014, Viktor Dukhovni wrote:
> >when the TLSA records are entirely unusable, and in keeping with Tony's
> >original work on the SRV draft, the client reverts to legacy
> >mandatory (practically always unauthenticated) TLS.
> That's unfortunate. Perhaps it depends on the definition of "unusable",
> but if all TLSA records for instance fail the RRSIG validation, I would
> hope that Postfix would abort delivery attempts and definitely _not_
> fall back to unauthenticated TLS.

Unusable is quite different from "fails validation".  When "usable"
records are found, but none match (all fail validation), delivery
is aborted.

The "unusable" case is when at least one of the TLSA *parameters*
is unsupported, the digest value has an impossible length, or a full
value is malformed: IN TLSA ???(50) SPKI(1) SHA2-512(2) {hex for 64-byte blob} IN TLSA DANE-EE(3) ???(2) SHA2-512(2) {hex for 64-byte blob} IN TLSA DANE-EE(3) SPKI(1) ???(3) {hex for 64-byte blob} IN TLSA DANE-EE(3) SPKI(1) SHA2-512(2) {hex for 32-byte blob} IN TLSA DANE-EE(3) SPKI(1) Full(0) {not ASN.1 of SPKI} IN TLSA DANE-EE(3) Cert(0) Full(0) {not ASN.1 of X.509 cert}

If all records are "unusable", Postfix falls back to unauthenticated TLS.

The administrator may be in a position to configure Postfix to
"test-drive" "DANE TLS" in a mode where validation failures are
tolerated and logged (DANE audit rather than enforcement), but
that's quite different from ignoring validation failures.

The default (when DANE TLS is enabled) is "enforce".  Support for
"audit" mode is under development, and is not DANE TLS specific.
It supports audited fallback from all verified (authenticated) TLS 
policies to either enforced unauthenticated TLS, or even just plain
opportunistic TLS (with cleartext fallback).  In all cases failure
to arrive at the desired security state is logged.