Re: [dane] DANE for MX host via insecure MX RR?
Michael Ströder <michael@stroeder.com> Thu, 10 September 2015 17:52 UTC
Return-Path: <michael@stroeder.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1FA1B402B for <dane@ietfa.amsl.com>; Thu, 10 Sep 2015 10:52:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLWIsap1QXYb for <dane@ietfa.amsl.com>; Thu, 10 Sep 2015 10:52:38 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30701B3FDF for <dane@ietf.org>; Thu, 10 Sep 2015 10:52:37 -0700 (PDT)
Received: from srv4.stroeder.local (unknown [10.1.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer "stroeder.com Server CA no. 2009-07" (verified OK)) by srv1.stroeder.com (Postfix) with ESMTPS id 97F771CF28 for <dane@ietf.org>; Thu, 10 Sep 2015 17:52:35 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local [10.1.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id 8DB3B1CE87 for <dane@ietf.org>; Thu, 10 Sep 2015 17:52:34 +0000 (UTC)
To: dane@ietf.org
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se> <20150824031926.GF9021@mournblade.imrryr.org> <55F1B075.5060809@stroeder.com> <20150910165337.GZ21942@mournblade.imrryr.org>
From: Michael Ströder <michael@stroeder.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55F1C362.4000607@stroeder.com>
Date: Thu, 10 Sep 2015 19:52:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 SeaMonkey/2.35
MIME-Version: 1.0
In-Reply-To: <20150910165337.GZ21942@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040909050609040407040403"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/W06AbAx8dDvVyR7zPGlxXKwgGiM>
Subject: Re: [dane] DANE for MX host via insecure MX RR?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2015 17:52:41 -0000
Viktor Dukhovni wrote: > On Thu, Sep 10, 2015 at 06:31:49PM +0200, Michael Ströder wrote: >>> If you want to propose an update that requires SMTP clients to >>> employ DANE TLSA verification of MX hosts in signed zones even when >>> the MX RRset was not "secure", read the previous discussion of this >>> question in the list archives (yes, it has come up before) and make >>> a clear-cut proposal with as solid a rationale as you can. >>> >>> I am not sure this can get enough support to reach "rough consensus", >>> but I'm open to the possibility. >> >> Without a signed MX there's no cryptographically secured binding between the >> recipient domain (right address part) and the public key used for TLS authc. >> >> So I'm strictly against this possibility and the developers of a MTA I spoke >> with today are also strongly against this. >> >> @Patrik: Deploying DNSSEC/DANE at large scale is not an easy job. If you drop >> the requirement for signed MX RRs DANE would not be worth the effort to be >> implemented. > > Note, the hypothetical proposal would not weaken DANE in any way, > nor would it "drop" the requirement to pay attention to the security > status of the MX RRset, in particular "bogus" replies or other DNS > errors in MX resolution would still result in deferral of mail. > > All that would hypothetically happen, is that even when the MX > RRset is "insecure" (verifiably from an unsigned zone) but the > target MX host is in a signed zone and has "secure" TLSA records, > DANE authentication might be "SHOULD" or "MUST", rather than the > current "MAY". > > https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-2.2.1 > > Since the protocol in this memo is an "opportunistic security" > protocol ([RFC7435]) the SMTP client MAY elect to use DANE TLS (as > described in Section 2.2.2 below) even with MX hosts obtained via an > "insecure" MX RRSet. For example, when a hosting provider has a > signed DNS zone and publishes TLSA records for its SMTP servers, > hosted domains that are not signed may still benefit from the > provider's TLSA records. Deliveries via the provider's SMTP servers > will not be subject to active attacks when sending SMTP clients elect > to make use of the provider's TLSA records (active attacks that > tamper with the "insecure" MX RRSet are of course still possible in > this case). > > I think the current "MAY" is sufficient for now, but if that proves > to be a valuable feature of the protocol, an a short update BCP > RFC upgrading the "MAY" to a "SHOULD" or "MUST" might be possible > in the future. Hmm...I can understand why you wrote it like this. But some people are more eager and want to push things into mandatory way. I wished DANE starts with "MUST" from the very beginning. It's a new standard and a big invest anyway. > So long as such sessions are not reported as secure, and are not > accepted when DANE authentication is mandatory (e.g. Postfix > "dane-only" TLS security level), the proposal does not in any > way reduce the security of DANE as specified. Postfix's "dane-only" requires successfully validated signed MX RRs? > The main risk is with reliability. Perhaps only those customers > of a service provider that operate DNSSEC signed domains are willing > to accept service availability risk in case of DANE authentication > failure, and the customers with unsigned zones want service > availability above all else. If the proposal is formalized, then > all customer domains suffer if the TLSA records are ever wrong, > even those whose domains are unsigned. Yes, service providers have opt-in mechs for such a distinction. And of course they must have *different* right-hand parts in their MX RRs for both cases. > So the proposal is not obviously damaging, just possibly premature. > We'll know more once there is more deployment and people either > learn (or don't learn) to operate their TLSA records correctly. People should be prepared that some MTAs will require signed MX RRs. Ciao, Michael.
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder