IETF Logo Mail Archive

Re: [dane] DANE for MX host via insecure MX RR? (was: Delivery of email if MX is not signed)

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 24 August 2015 03:19 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691C41A6F03 for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_14=0.6, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUYsJxO-ALvQ for <dane@ietfa.amsl.com>; Sun, 23 Aug 2015 20:19:27 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 410DA1A6F1D for <dane@ietf.org>; Sun, 23 Aug 2015 20:19:27 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 90D64284D64; Mon, 24 Aug 2015 03:19:26 +0000 (UTC)
Date: Mon, 24 Aug 2015 03:19:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150824031926.GF9021@mournblade.imrryr.org>
References: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D976ACCE-8F15-448C-A5E4-B8D1FD329A8B@frobbit.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/a1EY4MybQctluoH6bon_eb-RtaQ>
Subject: Re: [dane] DANE for MX host via insecure MX RR? (was: Delivery of email if MX is not signed)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 03:19:28 -0000

On Sun, Aug 23, 2015 at 07:29:50PM +0200, Patrik F?ltstr?m wrote:

> If not, we will get absolutely zero deployment of DANE with SMTP as we
> will never get 100% DNSSEC deployment.

We already have non-zero deployment, in fact ~2000 domains now, and
soon gmx.de and web.de as announced last week.

I think this thread needs to end, or else needs a more relevant
(to this WG) reboot.

If you want to propose an update that requires SMTP clients to
employ DANE TLSA verification of MX hosts in signed zones even when
the MX RRset was not "secure", read the previous discussion of this
question in the list archives (yes, it has come up before) and make
a clear-cut proposal with as solid a rationale as you can.  

I am not sure this can get enough support to reach "rough consensus",
but I'm open to the possibility.  If we don't misrepresent the
resulting security, it may be an acceptable deterrent to downgrade
attacks against the MX host when for some reason the attack is
unable or reluctant to tamper with DNS.

I'll survey the larger providers on this question at M3AAWG in
Atlanta in October.  In the mean-time we're making progress on
deploying DANE for SMTP as specified in the draft (upcoming RFC).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email