IETF Logo Mail Archive

Re: [dane] making ietf.org eat the DANE dogfood

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 22 May 2013 12:41 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA4121F96B3 for <dane@ietfa.amsl.com>; Wed, 22 May 2013 05:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.468
X-Spam-Level:
X-Spam-Status: No, score=-2.468 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YW4vaGHeEx0g for <dane@ietfa.amsl.com>; Wed, 22 May 2013 05:41:33 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 7099221F96B6 for <dane@ietf.org>; Wed, 22 May 2013 05:41:17 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 998B62AB9C6; Wed, 22 May 2013 12:41:16 +0000 (UTC)
Date: Wed, 22 May 2013 12:41:16 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130522124116.GD582@mournblade.imrryr.org>
References: <519BD393.7020302@ieca.com> <519BD433.6090609@stpeter.im> <519CA48B.4060903@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <519CA48B.4060903@cs.tcd.ie>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] making ietf.org eat the DANE dogfood
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 12:41:37 -0000

On Wed, May 22, 2013 at 11:57:15AM +0100, Stephen Farrell wrote:

> I wouldn't be surprised if the SMTP/TLS with DANE thing was the
> first one to offer benefits, but its maybe still a little
> early for that just yet.

It is early to expect "benefits", since very few clients are deployed
as yet, but not at all early to deploy, the TLSA record does no harm.
There is no downside, no existing SMTP clients refuse to deliver to
sites with unauthenticated certificates.

A Postfix production snapshot (Wietse code review complete) will
likely be available in June, at which point more people will be in
a position to deploy DANE TLSA capable SMTP clients.  They'll also
need a DNSSEC enabled local (127.0.0.1) caching DNS resolver.

So this is a good time to deploy server TLSA records:

    ; SHA256 digest of public key or full certificate.
    mail.example.com. IN TLSA 3 1 1 ...
    mail.example.com. IN TLSA 3 0 1 ...

    ; Or SHA256 of issuing trust-anchor CA public key.  With the trust-anchor
    ; issuer certificate included in the server chain file!
    ;
    mail.example.com. IN TLSA 2 1 1 ...
    mail.example.com. IN TLSA 2 0 1 ...

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email