Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 16:46 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7E01A00A3 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 08:46:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_65=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uh2U5Hhc-_bS for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 08:46:20 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BF51A00EA for <dane@ietf.org>; Mon, 10 Nov 2014 08:46:19 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0D62A2AB2F8; Mon, 10 Nov 2014 16:46:18 +0000 (UTC)
Date: Mon, 10 Nov 2014 16:46:17 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110164617.GZ161@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141027233223.GL19158@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141027233223.GL19158@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uYf-HqmP5iaPnAklVEIRA-vTNlc
Subject: Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 16:46:22 -0000
On Mon, Oct 27, 2014 at 11:32:23PM +0000, Viktor Dukhovni wrote: > What would be even more helpful is a site that not only tests DNSSEC > validation and checks for the presence of TLSA RRs, but also connects > to the domain's MX hosts and reports whether the TLSA RRs match > reality! I may end up partnering with some folks to build this, > but if anyone wants to do it for us, that would be great. > > A 3-4% error rate in deploying TLSA records is too high, we need > better deployment validation tools. And more prominent guidance > to pick just either of "2 0 1" or "3 1 1" for SMTP. > > I'm also considering releasing a tool that validates a server's > off-line chain file against an off-line TLSA RRset. This would > allow folks to test before they break their server, rather than > immediately after. Speaking of testing, the Deploy360 site's list of test servers is in need of ongoing maintenance. A noticeable fraction behave differently than advertised. The data at http://www.internetsociety.org/deploy360/resources/dane-test-sites/ is quite dated. It should probably be kept up to date or withdrawn. -- Viktor. (The "Address records insecure" result below is how I avoid sending TLSA queries for unsigned zones where these are likely to be mishandled, and unlikely to be secure, see the SMTP draft for details). --- Testing fedoraproject.org... ;; Passed(depth 1, hostname fedoraproject.org) fedoraproject.org. IN TLSA 0 0 1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16D7CB17C0 --- Exit code: 0 --- Testing www.freebsd.org... ;; Passed(depth 0): www.freebsd.org. IN TLSA 3 0 1 3F86A1FA85F6E5169CB27BF25C863805EBFD3225A16AADB75587804680992096 --- Exit code: 0 --- Testing torproject.org... ;; Passed(depth 0): torproject.org. IN TLSA 3 1 1 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10D2A58DA5 --- Exit code: 0 --- Testing jhcloos.com... ;; Passed(depth 3, hostname jhcloos.com) jhcloos.com. IN TLSA 1 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8 ;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8 --- Exit code: 0 --- Testing www.kumari.net... ;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1 8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5 --- Exit code: 0 --- Testing good.dane.verisignlabs.com... ;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3 --- Exit code: 0 --- Testing www.statdns.net... ;; Failed: www.statdns.net. IN TLSA 3 0 1 C1D6431EAB897824E3A767A3CBE3B200D9160B20B0B5684C851C47782787D286: certificate not trusted: (27) --- Exit code: 1 --- Testing dougbarton.us... ;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2 F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08 --- Exit code: 0 --- Testing hacklab.to... Address records insecure --- Exit code: 255 --- Testing nohats.ca... ;; Passed(depth 0): nohats.ca. IN TLSA 3 1 1 462573195C86E861ABAB8ECCFBC7F0486958EFDFF9449AC10729B3A0F906F388 --- Exit code: 0 --- Testing www.nlnetlabs.nl... ;; Passed(depth 0): www.nlnetlabs.nl. IN TLSA 3 1 1 F7DB964ED80ED0773F82A21997B2DCBAE434AE821AB1E3E337AD0CCFBFE2359F --- Exit code: 0 --- Testing www.vulcano.cl... ;; Failed: www.vulcano.cl. IN TLSA 3 0 1 5F301AD10923161E74EC4951C052C97963FEBCCB093019618964D69CAF7B5B34: unable to get local issuer certificate: (20) --- Exit code: 1 --- Testing www.huque.com... ;; Passed(depth 0): www.huque.com. IN TLSA 3 0 1 0013BEF11B875A58F3B0B1D7A0D439A608277F58433BBB12245B2A28B398C281 --- Exit code: 0 --- Testing dane.nox.su... DNS Lookup failed: dane.nox.su IN A ?: SERVFAIL --- Exit code: 255 --- Testing rover.secure64.com... ;; Failed: rover.secure64.com. IN TLSA 3 0 1 D7D680E82EDA59B910D4CF37EC8398432251650A176A20E08ABE45DA728266EF: self signed certificate: (18) --- Exit code: 1 --- Testing rogue.nohats.ca... ;; Failed: rogue.nohats.ca. IN TLSA 3 0 1 0000000000000000000000000000000000000000000000000000000000000000: unable to get local issuer certificate: (20) --- Exit code: 1 --- Testing bad-hash.dane.verisignlabs.com... ;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1 9999999999999999999999999999999999999999999999999999999999999999: certificate not trusted: (27) --- Exit code: 1 --- Testing bad-params.dane.verisignlabs.com... ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR --- Exit code: 1 --- Testing bad-sig.dane.verisignlabs.com... DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL --- Exit code: 255
- [dane] Fwd: New Version Notification for draft-yo… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Michael Ströder
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Shumon Huque
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… James Cloos
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Paul Wouters
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- [dane] Please help to remediate broken DNSSEC hos… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Marco Davids (SIDN)
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Mark Andrews
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni