[dane] TLSA lookup impedance mismatch with bare-bones DNS servers
Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 20 November 2013 21:28 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CDBD1AE181 for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 13:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2GD5HJc8Lfm for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 13:28:21 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id A25D61AE157 for <dane@ietf.org>; Wed, 20 Nov 2013 13:28:20 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5C8ED2AB153; Wed, 20 Nov 2013 21:28:13 +0000 (UTC)
Date: Wed, 20 Nov 2013 21:28:13 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131120212813.GJ761@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 21:28:23 -0000
This week I received the first report of SMTP deliveries consistently deferred due to TLSA RRset lookup problems. The problem site is nist.gov which has a DNSSEC validate MX RRset: $ secdig() { dig +adflag +noall +comments +ans "$@" @8.8.8.8; } $ secdig -t mx nist.gov. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20926 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: nist.gov. IN MX 0 nist-gov.mail.protection.outlook.com. with the MX host an unsigned zone: $ secdig -t a nist-gov.mail.protection.outlook.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3142 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.247 nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.138 nist-gov.mail.protection.outlook.com. 9 IN A 207.46.163.215 So far, so good, but if one tries to obtain TLSA RRs for the SMTP service at this host: $ secdig -t TYPE52 _25._tcp.nist-gov.mail.protection.outlook.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63234 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 the remote DNS server responds with SERVFAIL, not NXDOMAIN, even though: $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 so clearly whatever DNS load-balancing kit is responsible for mail.protection.outlook.com (the problem happens for all names from this domain down) has a rather incomplete DNS implementation. What this means for DANE is that one should try to avoid sending TLSA queries when the TLSA base domain (the desired TCP endpoint) has been discovered to lie in an "insecure" zone. It is extremely unlikely that when "mx.example" is insecure, somehow through the magic of DLV "_port._tcp.mx.example" is secure. Postfix had code to avoid such queries, but it was applied too narrowly (only when sending to non-MX destinations), the next snapshot will have code to suppress TLSA lookups also with insecure MX hosts. Barring a contrary consensus from the group I will add suitable language to the SMTP and the OPS drafts. (The Postfix code will need to implement the work-around regardless, my question is whether the work-around can be stated in the SMTP and/or OPs drafts). Without the work-around, there will be undesirable interoperability issues when TLSA queries are sent to DNS servers that are neither DNSSEC not DANE TLSA aware and may misbehave when presented with unexpected queries. FWIW, the server in question even fails with CNAME or PTR lookups: $ secdig -t CNAME _25._tcp.nist-gov.mail.protection.outlook.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38672 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 -- Viktor.
- [dane] TLSA lookup impedance mismatch with bare-b… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni
- Re: [dane] TLSA lookup impedance mismatch with ba… Martin Rex
- Re: [dane] TLSA lookup impedance mismatch with ba… Mark Andrews
- Re: [dane] TLSA lookup impedance mismatch with ba… James Cloos
- Re: [dane] TLSA lookup impedance mismatch with ba… Viktor Dukhovni