[dane] Adoption data-point and operational considerations...

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 December 2014 09:58 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9931A1B6D for <dane@ietfa.amsl.com>; Tue, 9 Dec 2014 01:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtVkcQOYHya0 for <dane@ietfa.amsl.com>; Tue, 9 Dec 2014 01:58:15 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F22B1A1B12 for <dane@ietf.org>; Tue, 9 Dec 2014 01:58:15 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id ECED9282F8B; Tue, 9 Dec 2014 09:58:13 +0000 (UTC)
Date: Tue, 9 Dec 2014 09:58:13 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141209095813.GP285@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/RAuSE95NJlhX5sIc1kciq_ZdpZ8
Subject: [dane] Adoption data-point and operational considerations...
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Dec 2014 09:58:19 -0000

[ In part WG-related, please see questions at the end... ]

Google's email transparency report in includes a last of mail
sending and receiving domains that are "large enough" to be included
in their stats.

    https://www.google.com/transparencyreport/saferemail/data/

Out of 17800 domains, 270 had DNSSEC-signed MX records.  Of the
latter, 162 had one of their best-preference MX host in a DNSSEC
domain and were in a position to publish DANE TLSA records.  Finally,
10 of those domains actually had TLSA records deployed:

    unitymedia.de
    posteo.de
    bund.de
    jpberlin.de
    lrz.de
    debian.org
    freebsd.org
    ietf.org
    torproject.org
    listserv.state.pa.us

These were already on my curated list, and represent many of its
larger domains.  That list now has 463 DANE email domains.  So
clearly at present most of the deployments are small sites that
are "more agile" in their willingness to deploy early.

If we can clear more deployment roadblocks, I am hoping to see
substantially higher numbers by this time next year.

One deployment pitfall discovered in recent interoperability tests
is that some domains have cleartext-only anti-spam proxies in front
of their MTA, with the proxies only allowing connections to the
real MTA once the SMTP client passes a grey-listing check (this
was observed with "spamd" as the proxy, but any "selective access"
to TLS can be similarly problematic).

If the receiving domain publishes TLSA records, this creates a
catch-22 with DANE-aware client MTAs.  The DANE client never begins
the first mail transaction, because the proxy does not offer
STARTTLS, (the proxy is a receiving system deployed downgrade to
cleartext MiTM in front of the real MTA).

The short-term solution for such domains is to NOT publish TLSA
RRs for port 25.  Longer-term the anti-spam proxy should be upgraded
to support STARTTLS.  For example, the Postfix "postscreen" service,
which has functionality similar to "spamd", supports STARTTLS so that
grey-listing does not amount to a similar downgrade attack.

I'd like to add some language about avoiding this problem in the
operational considerations section of the smtp-with-dane draft.
Any objections?  

Additional operational considerations might include not forgetting
to update TLSA RRs for *all* the names under which a server might
be known when doing key rotation.  This is a problem particularly
when a single wild-card certificate is deployed on all the MX hosts,
and replaced concurrently on them all, creating an immediate outage
for any domains that use variant MX host names (for flexibility of
later hosting some domains separately).  With DANE one should
strongly consider per-server certificates to avoid synchronized
multi-MTA outages.

And lastly, by far the most common problems are with DNSSEC.  A
mixture of failure to perform timely re-signing and at present lots
of domains with nameservers that have non-working Denial of Existence.
I don't have a comprehensive list of software that is deficient in
this manner, but it seems that some older versions of PowerDNS
botch DoE in at least some configurations.  Similar issues reportedly
with djbdns DNSSEC patches.  A few domains have firewalls that
block TLSA queries, one blocked these only for IPv4 clients, with
IPv6 clients not filtered, that can create difficult to diagnose
problems.

So I am looking for guidance on how much *current* operational
experience to include in the draft that may ultimately become
irrelevant as the infrastructure improves, but may be very useful
to get us past the initial deployment hurdles.  If we don't get
early adopters past the initial problems, the long-term obsolescence
of the issues might remain forever in the future.

The DNSSEC issues often impact domains that don't publish TLSA
records, just signing the zone, but operating a nameserver that is
not quite up to spec causes the majority of the problems.  How
should that issue be presented?  It applies to folks who are not
specifically deploying the protocol.  The simplest work-around
is often to publish:

    _25._tcp.<mx-host>. IN TXT "No TLSA RRs here yet"

or to publish real TLSA records, since creating either type of
record avoids most of the DoE bugs.  (I am optimistic that most of
the DoE problems will be remediated by this time next year once
the .nl registrars update their software, and most PowerDNS users
upgrade to a sufficiently recent release).

-- 
	Viktor.