IETF Logo Mail Archive

Re: [dane] srv-09 comments

Paul Wouters <paul@nohats.ca> Tue, 17 February 2015 23:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 819BC1A8960 for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 15:46:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWE6_12dhBIZ for <dane@ietfa.amsl.com>; Tue, 17 Feb 2015 15:46:18 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC0E1A6F3F for <dane@ietf.org>; Tue, 17 Feb 2015 15:46:18 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kmzN73c08z7T6 for <dane@ietf.org>; Wed, 18 Feb 2015 00:46:15 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=kj3vuKIP; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id YdNe_5eYFjJ9 for <dane@ietf.org>; Wed, 18 Feb 2015 00:46:14 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Wed, 18 Feb 2015 00:46:14 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F255380416 for <dane@ietf.org>; Tue, 17 Feb 2015 18:46:13 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1424216774; bh=9nD/bdquo8B0KCscYajOvCbiY4z/GlaKcdD/WIcWMJE=; h=Date:From:To:Subject:In-Reply-To:References; b=kj3vuKIPsuEiR81giygSNqLOO6yYTXD7keihOSXUB6fG5xOzzqzjzUJr21/i3X73j L5ViS/OYkuLwVahZrCx64cTIVdTOTLTR3iF8hTV7vNVoOhlgVcM7c2zASW40yd9Nd+ 4oJGHh64E4UWO2VRDOuN266M0DR1XtJn7fD9meJM=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t1HNkD9l022460 for <dane@ietf.org>; Tue, 17 Feb 2015 18:46:13 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 17 Feb 2015 18:46:13 -0500
From: Paul Wouters <paul@nohats.ca>
To: dane@ietf.org
In-Reply-To: <20150217231212.GT1260@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1502171815130.20591@bofh.nohats.ca>
References: <20150216170123.GR1260@mournblade.imrryr.org> <54E22A70.8050705@cisco.com> <20150216180813.GT1260@mournblade.imrryr.org> <54E265A3.8040201@cisco.com> <1936971F-ED29-45AD-8683-E449DC9330F8@ogud.com> <20150217231212.GT1260@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/NyUE-OwZ8Py0vvRqPq-3IbYIknE>
Subject: Re: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 23:46:20 -0000

On Tue, 17 Feb 2015, Viktor Dukhovni wrote:

> This creates an interesting edge-case for testing whether individual
> MX hosts (or SRV target hosts) live in a signed zone (that's the
> purpose of the A/AAAA queries in the SRV and SMTP drafts that
> gate the applicability of TLSA lookups):
>
> 	; example.com is a signed zone
> 	;
> 	example.com. IN MX 0 mail.example.com.
> 	mail.example.com. IN CNAME mail.example.net.
> 	_25._tcp.mail.example.com. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
>
>
> 	; example.net is an "insecure" zone:
> 	;
> 	mail.example.net. IN A 192.0.2.1
>
> When a query for the "A" records of "mail.example.com." is
> sent to a validating iterative resolver, the response has
> a CNAME RR, an "A" RR and AD=0.  However the query domain
> is actually "secure", the reason for "AD=0" is that the CNAME
> points into an "insecure" zone.
>
> To accomodate this edge-case, when the A/AAAA record returns
> an insecure CNAME, Postfix sends a second query:
>
> 	mail.example.com. IN CNAME ?
>
> and if that yields "AD=1", TLSA records are still requested:
>
> 	_25._tcp.mail.example.com. IN TLSA ?
>
> and used if returned (with AD=1).

Why does postfix care about the security of the A/CNAME results before
asking for TLSA records?

Why isn't it asking for TLSA records, and if those are secure, don't
care about the AD bit for the A/AAAA/CNAME.

As long as whatever insecure A/CNAME/AAAA address has the right
certificate you were looking for.

Paul

v2.23.0 | Report a Bug | By Email