[dane] TLSA lookup impedance mismatch with bare-bones DNS servers

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 20 November 2013 21:28 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CDBD1AE181 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 13:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2GD5HJc8Lfm for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 13:28:21 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id A25D61AE157 for <dane@ietf.org>; Wed, 20 Nov 2013 13:28:20 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5C8ED2AB153; Wed, 20 Nov 2013 21:28:13 +0000 (UTC)
Date: Wed, 20 Nov 2013 21:28:13 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131120212813.GJ761@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 21:28:23 -0000

This week I received the first report of SMTP deliveries consistently
deferred due to TLSA RRset lookup problems.  The problem site is
nist.gov which has a DNSSEC validate MX RRset:

    $ secdig() { dig +adflag +noall +comments +ans "$@" @8.8.8.8; }

    $ secdig -t mx nist.gov.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20926
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; ANSWER SECTION:
    nist.gov.	IN	MX	0 nist-gov.mail.protection.outlook.com.

with the MX host an unsigned zone:

    $ secdig -t a nist-gov.mail.protection.outlook.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3142
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

    ;; ANSWER SECTION:
    nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.247
    nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.138
    nist-gov.mail.protection.outlook.com. 9	IN A	207.46.163.215

So far, so good, but if one tries to obtain TLSA RRs for the SMTP service
at this host:

    $ secdig -t TYPE52 _25._tcp.nist-gov.mail.protection.outlook.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63234
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

the remote DNS server responds with SERVFAIL, not NXDOMAIN, even though:

    $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

so clearly whatever DNS load-balancing kit is responsible for
mail.protection.outlook.com (the problem happens for all names
from this domain down) has a rather incomplete DNS implementation.

What this means for DANE is that one should try to avoid sending
TLSA queries when the TLSA base domain (the desired TCP endpoint)
has been discovered to lie in an "insecure" zone.

It is extremely unlikely that when "mx.example" is insecure, somehow
through the magic of DLV "_port._tcp.mx.example" is secure.

Postfix had code to avoid such queries, but it was applied too
narrowly (only when sending to non-MX destinations), the next
snapshot will have code to suppress TLSA lookups also with insecure
MX hosts.

Barring a contrary consensus from the group I will add suitable
language to the SMTP and the OPS drafts.  (The Postfix code will
need to implement the work-around regardless, my question is whether
the work-around can be stated in the SMTP and/or OPs drafts).

Without the work-around, there will be undesirable interoperability
issues when TLSA queries are sent to DNS servers that are neither
DNSSEC not DANE TLSA aware and may misbehave when presented with
unexpected queries.

FWIW, the server in question even fails with CNAME or PTR lookups:

    $ secdig -t CNAME _25._tcp.nist-gov.mail.protection.outlook.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38672
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

-- 
	Viktor.