Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
Mark Andrews <marka@isc.org> Wed, 20 November 2013 22:49 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425511AE570 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 14:49:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.426
X-Spam-Level:
X-Spam-Status: No, score=-2.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsSsjVLHH7E6 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 14:49:18 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id ADD731AE531 for <dane@ietf.org>; Wed, 20 Nov 2013 14:49:17 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 83AD92383A7; Wed, 20 Nov 2013 22:48:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1E9AC16042E; Wed, 20 Nov 2013 22:55:46 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 176B81603E9; Wed, 20 Nov 2013 22:55:45 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id A2886AA9D22; Thu, 21 Nov 2013 09:48:52 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20131120212813.GJ761@mournblade.imrryr.org>
In-reply-to: Your message of "Wed, 20 Nov 2013 21:28:13 -0000." <20131120212813.GJ761@mournblade.imrryr.org>
Date: Thu, 21 Nov 2013 09:48:52 +1100
Message-Id: <20131120224852.A2886AA9D22@rock.dv.isc.org>
Cc: hostmaster@nist.gov
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 22:49:20 -0000
hostmaster@nist.gov your choice of mail handler provider is causing operational problem. In message <20131120212813.GJ761@mournblade.imrryr.org>, Viktor Dukhovni writes: > > This week I received the first report of SMTP deliveries consistently > deferred due to TLSA RRset lookup problems. The problem site is > nist.gov which has a DNSSEC validate MX RRset: > > $ secdig() { dig +adflag +noall +comments +ans "$@" @8.8.8.8; } > > $ secdig -t mx nist.gov. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20926 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; ANSWER SECTION: > nist.gov. IN MX 0 nist-gov.mail.protection.outlook.com. > > with the MX host an unsigned zone: > > $ secdig -t a nist-gov.mail.protection.outlook.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3142 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > > ;; ANSWER SECTION: > nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.247 > nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.138 > nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.215 > > So far, so good, but if one tries to obtain TLSA RRs for the SMTP service > at this host: > > $ secdig -t TYPE52 _25._tcp.nist-gov.mail.protection.outlook.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63234 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > the remote DNS server responds with SERVFAIL, not NXDOMAIN, even though: > > $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > so clearly whatever DNS load-balancing kit is responsible for > mail.protection.outlook.com (the problem happens for all names > from this domain down) has a rather incomplete DNS implementation. Yep, it returns NOTIMP and the developers didn't think about what the correct response to a query type that you don't load should be. Note a RFC 103[45] server is not permitted to serve a zone that it can't load. TXT and NS records are known types with no special processing. RFC 103[45] say what to return if the name exists and the type doesn't and it isn't NOTIMP. > What this means for DANE is that one should try to avoid sending > TLSA queries when the TLSA base domain (the desired TCP endpoint) > has been discovered to lie in an "insecure" zone. > > It is extremely unlikely that when "mx.example" is insecure, somehow > through the magic of DLV "_port._tcp.mx.example" is secure. > > Postfix had code to avoid such queries, but it was applied too > narrowly (only when sending to non-MX destinations), the next > snapshot will have code to suppress TLSA lookups also with insecure > MX hosts. > > Barring a contrary consensus from the group I will add suitable > language to the SMTP and the OPS drafts. (The Postfix code will > need to implement the work-around regardless, my question is whether > the work-around can be stated in the SMTP and/or OPs drafts). > > Without the work-around, there will be undesirable interoperability > issues when TLSA queries are sent to DNS servers that are neither > DNSSEC not DANE TLSA aware and may misbehave when presented with > unexpected queries. > > FWIW, the server in question even fails with CNAME or PTR lookups: > > $ secdig -t CNAME _25._tcp.nist-gov.mail.protection.outlook.com. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38672 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > -- > Viktor. > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] TLSA lookup impedance mismatch with bare-b… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Martin Rex
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… James Cloos
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni