Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt

James Cloos <> Wed, 06 November 2013 13:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0F3711E81AC for <>; Wed, 6 Nov 2013 05:35:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oHBwTS+74v42 for <>; Wed, 6 Nov 2013 05:35:35 -0800 (PST)
Received: from ( [IPv6:2604:2880::b24d:a297]) by (Postfix) with ESMTP id 2825311E81A9 for <>; Wed, 6 Nov 2013 05:35:35 -0800 (PST)
Received: by (Postfix, from userid 10) id D536B1E107; Wed, 6 Nov 2013 13:35:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ore13; t=1383744932; bh=zuUdVPUmzoPVsOkB9QsFVhw4RrXU6Od3kRZwBwm4J6U=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ZlujqlZl30hgdQ7wf4JWxX9r9AVyhDDID56W9MxxPMeGVh9n31svmGAtv09HgtreK FhIuu5peppqR95GprBxNbncIYLnadeJKFH8jJaeDvCWPnxQk+aPLgS15jEPFIWmm4x 6jSbqbG/6/PvkSr1r6doGzBjT6bWc2mhGEjt2PQwjdQ==
Received: by (Postfix, from userid 500) id D3C1A60022; Wed, 6 Nov 2013 13:33:14 +0000 (UTC)
From: James Cloos <>
In-Reply-To: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90> (Chris Newman's message of "Tue, 05 Nov 2013 17:01:54 -0800")
References: <789202E67F7415FC98D8FECF@96B2F16665FF96BAE59E9B90>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
Copyright: Copyright 2013 James Cloos
OpenPGP: ED7DAEA6; url=
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 06 Nov 2013 08:33:14 -0500
Message-ID: <>
Lines: 19
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [dane] review of draft-ietf-dane-smtp-with-dane-02.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Nov 2013 13:35:35 -0000

>>>>> "CN" == Chris Newman <> writes:

CN> *2* I believe it's undesirable to attempt to deploy DANE TLSA for
CN> submission services (port 587 or de-facto port 465) 

TLSA SHOULD be checked for *all* TLS connections by clients.  We should
not have any RFCs which try to exempt certain ports, nor recommend
avoiding DANE for certain ports or services.

We want the TLS libraries to implement it (as gnutls has done) and for
applications to take advantage of DANE whenever they initiate TLS sockets.

The only real question is what to do when provided just an ip address.
Should the TLSA be checked in arpa., or should it look under the name
returned by a PTR lookup?

James Cloos <>         OpenPGP: 1024D/ED7DAEA6