Re: [dane] srv-09 comments
Mark Andrews <marka@isc.org> Wed, 18 February 2015 00:06 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3771A9109 for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 16:06:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZMEkxFm-kQf for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 16:06:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A12531A9107 for <dane@ietf.org>; Tue, 17 Feb 2015 16:06:31 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 3B450349598; Wed, 18 Feb 2015 00:06:29 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DA097160067; Wed, 18 Feb 2015 00:13:20 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-252-81.belrs3.nsw.optusnet.com.au [122.106.252.81]) by zmx1.isc.org (Postfix) with ESMTPSA id A4EB9160064; Wed, 18 Feb 2015 00:13:20 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 1A3A429B21E6; Wed, 18 Feb 2015 11:06:21 +1100 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20150216170123.GR1260@mournblade.imrryr.org> <54E22A70.8050705@cisco.com> <20150216180813.GT1260@mournblade.imrryr.org> <54E265A3.8040201@cisco.com> <1936971F-ED29-45AD-8683-E449DC9330F8@ogud.com> <20150217231212.GT1260@mournblade.imrryr.org> <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>
In-reply-to: Your message of "Tue, 17 Feb 2015 18:46:13 -0500." <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>
Date: Wed, 18 Feb 2015 11:06:20 +1100
Message-Id: <20150218000621.1A3A429B21E6@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/JGGaib-rw8ymnAjnoRVwMaXuTAE>
Cc: dane@ietf.org
Subject: Re: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:06:34 -0000
In message <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>, Paul Wouters w rites: > On Tue, 17 Feb 2015, Viktor Dukhovni wrote: > > > This creates an interesting edge-case for testing whether individual > > MX hosts (or SRV target hosts) live in a signed zone (that's the > > purpose of the A/AAAA queries in the SRV and SMTP drafts that > > gate the applicability of TLSA lookups): > > > > ; example.com is a signed zone > > ; > > example.com. IN MX 0 mail.example.com. > > mail.example.com. IN CNAME mail.example.net. > > _25._tcp.mail.example.com. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb9 > 2427ae41e4649b934ca495991b7852b855 > > > > > > ; example.net is an "insecure" zone: > > ; > > mail.example.net. IN A 192.0.2.1 > > > > When a query for the "A" records of "mail.example.com." is > > sent to a validating iterative resolver, the response has > > a CNAME RR, an "A" RR and AD=0. However the query domain > > is actually "secure", the reason for "AD=0" is that the CNAME > > points into an "insecure" zone. > > > > To accomodate this edge-case, when the A/AAAA record returns > > an insecure CNAME, Postfix sends a second query: > > > > mail.example.com. IN CNAME ? > > > > and if that yields "AD=1", TLSA records are still requested: > > > > _25._tcp.mail.example.com. IN TLSA ? > > > > and used if returned (with AD=1). > > Why does postfix care about the security of the A/CNAME results before > asking for TLSA records? > > Why isn't it asking for TLSA records, and if those are secure, don't > care about the AD bit for the A/AAAA/CNAME. Because there are idiots that design nameservers, firewalls and scrubbing services that think asking for TLSA records is a good reason to drop the query. Looking at the result of the MX/A/AAAA query and using that to determine if the TLSA query should be performed reduces the number of queries that encounter such idiocy. MX/A/AAAA are rarely dropped. > As long as whatever insecure A/CNAME/AAAA address has the right > certificate you were looking for. > > Paul > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [dane] srv-09 comments Viktor Dukhovni
- [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Olafur Gudmundsson
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Paul Wouters
- Re: [dane] srv-09 comments Mark Andrews
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Mark Andrews