Re: [dane] icann.org DANE SMTP?

Terry Manderson <terry.manderson@icann.org> Mon, 19 January 2015 03:20 UTC

Return-Path: <terry.manderson@icann.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DF681AD06C for <dane@ietfa.amsl.com>; Sun, 18 Jan 2015 19:20:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06KUjnc36kN0 for <dane@ietfa.amsl.com>; Sun, 18 Jan 2015 19:20:40 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 351011AD06B for <dane@ietf.org>; Sun, 18 Jan 2015 19:20:40 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.847.32; Sun, 18 Jan 2015 19:20:37 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.0847.030; Sun, 18 Jan 2015 19:20:37 -0800
From: Terry Manderson <terry.manderson@icann.org>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] icann.org DANE SMTP?
Thread-Index: AQHQMhpvpu+7Kgeoi0CIe5U62rhhNpzH91GA
Date: Mon, 19 Jan 2015 03:20:37 +0000
Message-ID: <D0E2B293.4F24E%terry.manderson@icann.org>
References: <20150117055642.GP29286@mournblade.imrryr.org>
In-Reply-To: <20150117055642.GP29286@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3504518435_90160612"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/Mx8rGGMQFUxD1CNtgH0bLgE67l0>
Subject: Re: [dane] icann.org DANE SMTP?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 03:20:42 -0000

Hi Viktor,

Thanks for the nudge.

There are certainly ICANN people on this mailing list, including myself.

I (while wearing the ICANN org hat) have responsibility for the
engineering department that is tasked with the domain portfolio in ICANN
and the infrastructure which DNSSEC signs and serves it.

We have had this discussion internally to ICANN, in fact we had it last
year, and we have every intention to do this. (The SMTP part is another
team, but they have also concurred and are willing to also 'walk the walk')

Our path to get there is currently dependent on an upgrade of our DNSSEC
signing infrastructure (that also entails a move of datacenters). So
please hang in there while we reconstruct some secure cages, ship some
rather heavy safes, and commission new HSMs..

Please watch this space, and if you like I will post back here when we
have both the RRs in and STARTTLS enabled.

Cheers
Terry

On 17/01/2015 3:56 pm, "Viktor Dukhovni" <ietf-dane@dukhovni.org> wrote:

>Anyone have appropriate contacts at icann.org to encourage them
>to dogfood DANE TLSA RRs for their SMTP servers?
>
>A quick scan of the DNS and MX hosts shows that icann.org and all
>its MX hosts (A/AAAA records) are DNSSEC validated, but none of
>the MX hosts offer STARTTLS:
>
>    icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1
>    pechora1.icann.org. IN A 192.0.33.71 ; smtperr: STARTTLS not offered
>    pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr:
>STARTTLS not offered
>    icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1
>    pechora3.icann.org. IN A 192.0.33.73 ; smtperr: STARTTLS not offered
>    pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr:
>STARTTLS not offered
>    icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1
>    pechora4.icann.org. IN A 192.0.33.74 ; smtperr: STARTTLS not offered
>    pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr:
>STARTTLS not offered
>    icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1
>    pechora5.icann.org. IN A 192.0.46.71 ; smtperr: STARTTLS not offered
>    pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr:
>STARTTLS not offered
>    icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1
>    pechora7.icann.org. IN A 192.0.46.73 ; smtperr: STARTTLS not offered
>    pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr:
>STARTTLS not offered
>    icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1
>    pechora8.icann.org. IN A 192.0.46.74 ; smtperr: STARTTLS not offered
>    pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr:
>STARTTLS not offered
>
>Sure looks like Sendmail with STARTTLS not enabled:
>
>    posttls-finger: Connected to pechora1.icann.org[192.0.33.71]:25
>    posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail
>8.13.8/8.13.8; Sat, 17 Jan 2015 05:48:31 GMT
>    posttls-finger: > EHLO amnesiac.local
>    posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local
>[192.0.2.1], pleased to meet you
>    posttls-finger: < 250-ENHANCEDSTATUSCODES
>    posttls-finger: < 250-PIPELINING
>    posttls-finger: < 250-8BITMIME
>    posttls-finger: < 250-SIZE
>    posttls-finger: < 250-DSN
>    posttls-finger: < 250-ETRN
>    posttls-finger: < 250-DELIVERBY
>    posttls-finger: < 250 HELP
>    posttls-finger: > QUIT
>    posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection
>
>all they have to do is enable STARTTLS and publish TLSA RRs.  Either
>some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's
>TLSA RRset to a shared location where the trust-anchor
>
>    IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest>
>
>TLSA RRset is defined, or a different self-signed certificate for
>each MX host with per-host
>
>    IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest>
>
>records.  We got there for ietf.org, and I think icann.org should
>set a similar example.  People reasonably seem to expect them to,
>based on frequent tests for icann.org at https://dane.sys4.de/
>
>Do what you say and all that...
>
>-- 
>	Viktor.
>
>_______________________________________________
>dane mailing list
>dane@ietf.org
>https://www.ietf.org/mailman/listinfo/dane