Re: [dane] I-D Action: draft-ietf-dane-srv-03.txt

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 19 December 2013 17:43 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7361B1AE320 for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:43:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PsADrV3EpYuA for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:43:11 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id BD67D1AE270 for <dane@ietf.org>; Thu, 19 Dec 2013 09:43:11 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id CC0F62AB01A; Thu, 19 Dec 2013 17:43:09 +0000 (UTC)
Date: Thu, 19 Dec 2013 17:43:09 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131219174309.GC1285@mournblade.imrryr.org>
References: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-srv-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2013 17:43:13 -0000

On Thu, Dec 19, 2013 at 08:07:10AM -0800, internet-drafts@ietf.org wrote:

> 	Filename        : draft-ietf-dane-srv-03.txt

Another point I should raise is the question of when to perform
TLSA lookups.  In implementing DANE for Postfix, I found that it
is unwise to search for TLSA RRs for an MX host whose hostname ->
address mapping is insecure (that is when the MX RRset is in a
secure zone, but the MX host is not).

The example I posted to this group was nist.gov's MX RRset:

    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    nist.gov. IN MX      0 nist-gov.mail.protection.outlook.com.

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
    nist-gov.mail.protection.outlook.com. IN A    207.46.163.170
    nist-gov.mail.protection.outlook.com. IN A    207.46.163.215
    nist-gov.mail.protection.outlook.com. IN A    207.46.163.247
    nist-gov.mail.protection.outlook.com. IN A    207.46.163.138

    $ dig +dnssec +noall +comment +ans -t tlsa nist-gov.mail.protection.outlook.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14224
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 512

Attempts to retrieve the TLSA RRset SRVFAIL.  Postfix (as likely
should all other applications that want to find TLSA RRs) skips
the TLSA lookup when the MX (form of SRV) host's zone is not secure.

-- 
	Viktor.