Re: [dane] MX and DANE (Was: AppsDir review of

Martin Rex <mrex@sap.com> Sat, 05 May 2012 01:43 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A1A21E8018; Fri, 4 May 2012 18:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.775
X-Spam-Level:
X-Spam-Status: No, score=-9.775 tagged_above=-999 required=5 tests=[AWL=-0.126, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxQlSX2FXY9z; Fri, 4 May 2012 18:43:31 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id C2DFF21F84EE; Fri, 4 May 2012 18:43:30 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q451hRgw017094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 5 May 2012 03:43:27 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205050143.q451hQnW011408@fs4113.wdf.sap.corp>
To: marka@isc.org
Date: Sat, 05 May 2012 03:43:26 +0200
In-Reply-To: <20120504000220.0F9632063979@drugs.dv.isc.org> from "Mark Andrews" at May 4, 12 10:02:19 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: iesg@ietf.org, apps-discuss@ietf.org, dane@ietf.org
Subject: Re: [dane] MX and DANE (Was: AppsDir review of
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2012 01:43:31 -0000

Mark Andrews wrote:
> 
> O. writes:
> >
> > On 3. 5. 2012, at 17:25, Richard L. Barnes wrote:
> > > Oh, this discussion again.
> > 
> > No, it's _not_ that discussion again.  I wanted to say that we
> > don't _want_ to discuss and fix it in the DANE WG.  Somebody fix
> > it elsewhere and come back.

100 ack.

> 
> While this isn't be a issue for DANE, DANE actually *removes* the
> last known threat, downgrade by filtering/not offering STARTTLS
> from the EHLO response, to making MX and STARTTLS work globally as
> it provides a method to signal that TLS should be available and as
> a consequence you should see a STARTTLS.


Please do not confuse DANE with DNSSEC.

example:

    foo.x.         IN MX     10  mx.bar.y.
    mx.bar.y.      IN CNAME      tweety.baz.z.
    tweety.baz.z.  IN A          0.1.2.3

plus:
    foo.x. is a DNS-Zone with DNSSEC enabled
    bar.y. is a DNS-Zone without DNSSEC
    baz.z. is a DNS-Zone with DNSSEC enabled

The DNS software module does not know about MX records and will
not look at any of the above.

To _me_ this looks like opening a can of worms, not like closing one,
and the apps protocols that want such scenarios secured by DNSSEC,
will have to design and discuss their desired security architecture,
how to perform&implement the various lookups and possible indirections,
how to compute the desired result/outcome from the various possibilities
leveraged by the DNS magic machinery and describe:

   - to implementers of the apps protocol how to implement this
   - to admins of the machines how to configure the various possible
     scenarios

and provide a security considerations about all the potential and
non-obvious pitfalls.

Btw. in the example above, "mx.bar.y. IN CNAME tweety.baz.z."
could have been a DNS reply spoofed by an attacker.

I have significant doubts, that DANE is the right forum to discuss any
of these very apps-specific characteristics and requirements.
And DANE-protocol LC is definitely the wrong time for it
(IIRC, the DANE WG tabled this discussion before it got deeply ratholed
 over it).

*I* really do not want to discuss this any further.

-Martin