Re: [dane] DANE for MX host via insecure MX RR? (was: Delivery of email if MX is not signed)
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 24 August 2015 03:19 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691C41A6F03 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_14=0.6, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUYsJxO-ALvQ for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:19:27 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 410DA1A6F1D for <dane@ietf.org>; Sun, 23 Aug 2015 20:19:27 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 90D64284D64; Mon, 24 Aug 2015 03:19:26 +0000 (UTC)
Date: Mon, 24 Aug 2015 03:19:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150824031926.GF9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/a1EY4MybQctluoH6bon_eb-RtaQ>
Subject: Re: [dane] DANE for MX host via insecure MX RR? (was: Delivery of email if MX is not signed)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 03:19:28 -0000
On Sun, Aug 23, 2015 at 07:29:50PM +0200, Patrik F?ltstr?m wrote: > If not, we will get absolutely zero deployment of DANE with SMTP as we > will never get 100% DNSSEC deployment. We already have non-zero deployment, in fact ~2000 domains now, and soon gmx.de and web.de as announced last week. I think this thread needs to end, or else needs a more relevant (to this WG) reboot. If you want to propose an update that requires SMTP clients to employ DANE TLSA verification of MX hosts in signed zones even when the MX RRset was not "secure", read the previous discussion of this question in the list archives (yes, it has come up before) and make a clear-cut proposal with as solid a rationale as you can. I am not sure this can get enough support to reach "rough consensus", but I'm open to the possibility. If we don't misrepresent the resulting security, it may be an acceptable deterrent to downgrade attacks against the MX host when for some reason the attack is unable or reluctant to tamper with DNS. I'll survey the larger providers on this question at M3AAWG in Atlanta in October. In the mean-time we're making progress on deploying DANE for SMTP as specified in the draft (upcoming RFC). -- Viktor.
- [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed lst_hoe02
- Re: [dane] Delivery of email if MX is not signed Peter Koch
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] Delivery of email if MX is not signed Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? (… Viktor Dukhovni
- Re: [dane] Delivery of email if MX is not signed Paul Wouters
- Re: [dane] Delivery of email if MX is not signed Patrik Fältström
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder
- Re: [dane] DANE for MX host via insecure MX RR? Viktor Dukhovni
- Re: [dane] DANE for MX host via insecure MX RR? Michael Ströder