IETF Logo Mail Archive

Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers

James Cloos <cloos@jhcloos.com> Thu, 21 November 2013 17:11 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20FD21AE215 for <dane@ietfa.amsl.com>; Thu, 21 Nov 2013 09:11:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_14=0.6, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jgj3VUK32WPY for <dane@ietfa.amsl.com>; Thu, 21 Nov 2013 09:11:36 -0800 (PST)
Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297]) by ietfa.amsl.com (Postfix) with ESMTP id BBDA41AE21A for <dane@ietf.org>; Thu, 21 Nov 2013 09:11:36 -0800 (PST)
Received: by ore.jhcloos.com (Postfix, from userid 10) id B818D1DEF0; Thu, 21 Nov 2013 17:11:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore13; t=1385053888; bh=D5c6yHi4yVJNjsVj93CFJQYoImp8/+HEoSfmudvR8co=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=hRRALBHd8w28uOWK2sahCSs0HGS39wHDf8ZKGbuotFWTc1CdeYb6xOPq4waMj7TZb 4pvOdJizgNIgrbV4UTtCEcdHMoWgHdWrk1qS1tvHNjew1r2ZraUe4fXk0hGiXnBQSN NZZxpCfCkx57asPv/Vk3uPwN1k03ME0SDzfF7RQBn3Q==
Received: by carbon.jhcloos.org (Postfix, from userid 500) id B3C8760027; Thu, 21 Nov 2013 17:08:38 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: dane@ietf.org
In-Reply-To: <20131120212813.GJ761@mournblade.imrryr.org> (Viktor Dukhovni's message of "Wed, 20 Nov 2013 21:28:13 +0000")
References: <20131120212813.GJ761@mournblade.imrryr.org>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2013 James Cloos
OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Thu, 21 Nov 2013 12:08:38 -0500
Message-ID: <m361rl3cnk.fsf@carbon.jhcloos.org>
Lines: 13
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:30:131121:dane@ietf.org::TLqscfqHvCKHEdA4:000P93+u
X-Hashcash: 1:30:131121:viktor1dane@dukhovni.org::+uxt/gqI4nce+/Ap:000000000000000000000000000000000000O4TRB
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 17:11:47 -0000

>>>>> "VD" == Viktor Dukhovni <viktor1dane@dukhovni.org> writes:

VD> with the MX host an unsigned zone:

Given insecure a/aaaa results, it is reasonable to presume that tlsa
resaults also will be insecure.

Avoiding the tlsa lookup has the downside of serializing the requests,
but that appears to be necessary in the face of b0rked auth servers.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

v2.23.0 | Report a Bug | By Email