Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers

Mark Andrews <marka@isc.org> Wed, 20 November 2013 22:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425511AE570 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 14:49:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.426
X-Spam-Level:
X-Spam-Status: No, score=-2.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsSsjVLHH7E6 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 14:49:18 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id ADD731AE531 for <dane@ietf.org>; Wed, 20 Nov 2013 14:49:17 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 83AD92383A7; Wed, 20 Nov 2013 22:48:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1E9AC16042E; Wed, 20 Nov 2013 22:55:46 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 176B81603E9; Wed, 20 Nov 2013 22:55:45 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id A2886AA9D22; Thu, 21 Nov 2013 09:48:52 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20131120212813.GJ761@mournblade.imrryr.org>
In-reply-to: Your message of "Wed, 20 Nov 2013 21:28:13 -0000." <20131120212813.GJ761@mournblade.imrryr.org>
Date: Thu, 21 Nov 2013 09:48:52 +1100
Message-Id: <20131120224852.A2886AA9D22@rock.dv.isc.org>
Cc: hostmaster@nist.gov
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 22:49:20 -0000

hostmaster@nist.gov
	 your choice of mail handler provider is causing operational
problem.

In message <20131120212813.GJ761@mournblade.imrryr.org>, Viktor Dukhovni writes:
> 
> This week I received the first report of SMTP deliveries consistently
> deferred due to TLSA RRset lookup problems.  The problem site is
> nist.gov which has a DNSSEC validate MX RRset:
> 
>     $ secdig() { dig +adflag +noall +comments +ans "$@" @8.8.8.8; }
> 
>     $ secdig -t mx nist.gov.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20926
>     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
>     ;; ANSWER SECTION:
>     nist.gov.	IN	MX	0 nist-gov.mail.protection.outlook.com.
> 
> with the MX host an unsigned zone:
> 
>     $ secdig -t a nist-gov.mail.protection.outlook.com.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3142
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
>     ;; ANSWER SECTION:
>     nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.247
>     nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.138
>     nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.215
> 
> So far, so good, but if one tries to obtain TLSA RRs for the SMTP service
> at this host:
> 
>     $ secdig -t TYPE52 _25._tcp.nist-gov.mail.protection.outlook.com.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63234
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> the remote DNS server responds with SERVFAIL, not NXDOMAIN, even though:
> 
>     $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> so clearly whatever DNS load-balancing kit is responsible for
> mail.protection.outlook.com (the problem happens for all names
> from this domain down) has a rather incomplete DNS implementation.

Yep, it returns NOTIMP and the developers didn't think about what
the correct response to a query type that you don't load should be.

Note a RFC 103[45] server is not permitted to serve a zone that it
can't load.  TXT and NS records are known types with no special
processing.  RFC 103[45] say what to return if the name exists and
the type doesn't and it isn't NOTIMP.

> What this means for DANE is that one should try to avoid sending
> TLSA queries when the TLSA base domain (the desired TCP endpoint)
> has been discovered to lie in an "insecure" zone.
> 
> It is extremely unlikely that when "mx.example" is insecure, somehow
> through the magic of DLV "_port._tcp.mx.example" is secure.
> 
> Postfix had code to avoid such queries, but it was applied too
> narrowly (only when sending to non-MX destinations), the next
> snapshot will have code to suppress TLSA lookups also with insecure
> MX hosts.
> 
> Barring a contrary consensus from the group I will add suitable
> language to the SMTP and the OPS drafts.  (The Postfix code will
> need to implement the work-around regardless, my question is whether
> the work-around can be stated in the SMTP and/or OPs drafts).
> 
> Without the work-around, there will be undesirable interoperability
> issues when TLSA queries are sent to DNS servers that are neither
> DNSSEC not DANE TLSA aware and may misbehave when presented with
> unexpected queries.
> 
> FWIW, the server in question even fails with CNAME or PTR lookups:
> 
>     $ secdig -t CNAME _25._tcp.nist-gov.mail.protection.outlook.com.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38672
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> -- 
> 	Viktor.
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org