Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 16:46 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7E01A00A3 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 08:46:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_65=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uh2U5Hhc-_bS for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 08:46:20 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BF51A00EA for <dane@ietf.org>; Mon, 10 Nov 2014 08:46:19 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0D62A2AB2F8; Mon, 10 Nov 2014 16:46:18 +0000 (UTC)
Date: Mon, 10 Nov 2014 16:46:17 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110164617.GZ161@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141027233223.GL19158@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141027233223.GL19158@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uYf-HqmP5iaPnAklVEIRA-vTNlc
Subject: Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 16:46:22 -0000

On Mon, Oct 27, 2014 at 11:32:23PM +0000, Viktor Dukhovni wrote:

> What would be even more helpful is a site that not only tests DNSSEC
> validation and checks for the presence of TLSA RRs, but also connects
> to the domain's MX hosts and reports whether the TLSA RRs match
> reality!  I may end up partnering with some folks to build this,
> but if anyone wants to do it for us, that would be great.
> 
> A 3-4% error rate in deploying TLSA records is too high, we need
> better deployment validation tools.  And more prominent guidance
> to pick just either of "2 0 1" or "3 1 1" for SMTP.
> 
> I'm also considering releasing a tool that validates a server's
> off-line chain file against an off-line TLSA RRset.  This would
> allow folks to test before they break their server, rather than
> immediately after.

Speaking of testing, the Deploy360 site's list of test servers is
in need of ongoing maintenance.  A noticeable fraction behave
differently than advertised.  The data at

    http://www.internetsociety.org/deploy360/resources/dane-test-sites/

is quite dated.  It should probably be kept up to date or withdrawn.

-- 
	Viktor.

(The "Address records insecure" result below is how I avoid sending
TLSA queries for unsigned zones where these are likely to be
mishandled, and unlikely to be secure, see the SMTP draft for
details).

--- Testing fedoraproject.org...
;; Passed(depth 1, hostname fedoraproject.org): fedoraproject.org. IN TLSA 0 0 1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16D7CB17C0
--- Exit code: 0

--- Testing www.freebsd.org...
;; Passed(depth 0): www.freebsd.org. IN TLSA 3 0 1 3F86A1FA85F6E5169CB27BF25C863805EBFD3225A16AADB75587804680992096
--- Exit code: 0

--- Testing torproject.org...
;; Passed(depth 0): torproject.org. IN TLSA 3 1 1 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10D2A58DA5
--- Exit code: 0

--- Testing jhcloos.com...
;; Passed(depth 3, hostname jhcloos.com): jhcloos.com. IN TLSA 1 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
--- Exit code: 0

--- Testing www.kumari.net...
;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1 8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5
--- Exit code: 0

--- Testing good.dane.verisignlabs.com...
;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3
--- Exit code: 0

--- Testing www.statdns.net...
;; Failed: www.statdns.net. IN TLSA 3 0 1 C1D6431EAB897824E3A767A3CBE3B200D9160B20B0B5684C851C47782787D286: certificate not trusted: (27)
--- Exit code: 1

--- Testing dougbarton.us...
;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2 F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08
--- Exit code: 0

--- Testing hacklab.to...
Address records insecure
--- Exit code: 255

--- Testing nohats.ca...
;; Passed(depth 0): nohats.ca. IN TLSA 3 1 1 462573195C86E861ABAB8ECCFBC7F0486958EFDFF9449AC10729B3A0F906F388
--- Exit code: 0

--- Testing www.nlnetlabs.nl...
;; Passed(depth 0): www.nlnetlabs.nl. IN TLSA 3 1 1 F7DB964ED80ED0773F82A21997B2DCBAE434AE821AB1E3E337AD0CCFBFE2359F
--- Exit code: 0

--- Testing www.vulcano.cl...
;; Failed: www.vulcano.cl. IN TLSA 3 0 1 5F301AD10923161E74EC4951C052C97963FEBCCB093019618964D69CAF7B5B34: unable to get local issuer certificate: (20)
--- Exit code: 1

--- Testing www.huque.com...
;; Passed(depth 0): www.huque.com. IN TLSA 3 0 1 0013BEF11B875A58F3B0B1D7A0D439A608277F58433BBB12245B2A28B398C281
--- Exit code: 0

--- Testing dane.nox.su...
DNS Lookup failed: dane.nox.su IN A ?: SERVFAIL
--- Exit code: 255

--- Testing rover.secure64.com...
;; Failed: rover.secure64.com. IN TLSA 3 0 1 D7D680E82EDA59B910D4CF37EC8398432251650A176A20E08ABE45DA728266EF: self signed certificate: (18)
--- Exit code: 1

--- Testing rogue.nohats.ca...
;; Failed: rogue.nohats.ca. IN TLSA 3 0 1 0000000000000000000000000000000000000000000000000000000000000000: unable to get local issuer certificate: (20)
--- Exit code: 1

--- Testing bad-hash.dane.verisignlabs.com...
;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1 9999999999999999999999999999999999999999999999999999999999999999: certificate not trusted: (27)
--- Exit code: 1

--- Testing bad-params.dane.verisignlabs.com...
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
--- Exit code: 1

--- Testing bad-sig.dane.verisignlabs.com...
DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL
--- Exit code: 255