Re: [dane] dual use of TLSA RR
"shmick@riseup.net" <shmick@riseup.net> Fri, 10 October 2014 15:19 UTC
Return-Path: <shmick@riseup.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937B01A1A0A for <dane@ietfa.amsl.com>; Fri, 10 Oct 2014 08:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.387
X-Spam-Level:
X-Spam-Status: No, score=-1.387 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZQnd60G6re2 for <dane@ietfa.amsl.com>; Fri, 10 Oct 2014 08:19:50 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D309B1A0383 for <dane@ietf.org>; Fri, 10 Oct 2014 08:19:49 -0700 (PDT)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 868025437B for <dane@ietf.org>; Fri, 10 Oct 2014 08:19:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1412954389; bh=nBG1qkBSv4Hxo0j5N2HwbglQ7BLXKU6dat3L19BLVg8=; h=Date:From:To:Subject:References:In-Reply-To:From; b=EcmcCezHzb5AdxZ/4+MOPBPCV5ABwlIBJjdY15ZDDJ15HCCIkAN9wf3pRISw8mRMW u9oxB9+VzMBdA7Cvy/Su2/wK1ALkrjHdihY7uIpxx1wZ3e6dVth8p1Cjh1cULljwQb Qv853Gq4z+hZUnHDbpYw4G4XFDf0D8n4oZ8Q73g8=
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: shmick) with ESMTPSA id 3106F42C72
Message-ID: <5437F908.4050000@riseup.net>
Date: Sat, 11 Oct 2014 02:19:36 +1100
From: "shmick@riseup.net" <shmick@riseup.net>
MIME-Version: 1.0
To: dane@ietf.org
References: <5436AB8A.2090202@riseup.net> <20141009162752.GS13254@mournblade.imrryr.org>
In-Reply-To: <20141009162752.GS13254@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.4 at mx1
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/w2IHsNQIdjTOjNc3ykl1ecmCxcM
Subject: Re: [dane] dual use of TLSA RR
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Oct 2014 15:19:52 -0000
thanks, Viktor Dukhovni wrote: > On Fri, Oct 10, 2014 at 02:36:42AM +1100, shmick@riseup.net wrote: > >> is it possible & legal to incorporate 2 TLSA RRs in a zone file the >> following way for the same protocol/port ie. 25: > > Yes, absolutely. Multiple TLSA RRs can and will appear in a TLSA > RRset, either as a result of key rotation in progress, or because > there are multiple keys valid at the same time. i signed my zonefile ok and have the following: _25._tcp.ns1.example.net. IN CNAME tlsa311._dane.example.net. tlsa311._dane.example.net. IN TLSA 3 1 1 4e02a17b48f8dd3fb451871222278d248c3f51ea5f25ec2e06f65096c80391b0 ; ECC tlsa311._dane.example.net. IN TLSA 3 1 1 9ff5a335ddb86c368a9b3fc49d1a81f738d57f8f8f96c973e87513bbf24532c3 ; RSA im waiting for confirmation from somebody that they see "Verified TLS conn..." > >> Assume postfix has setup 2 certs; an RSA and ECDSA >> >> If it's possible how would a particular TLSA RR be chosen? > > Each TLSA RRs is compared against the server's chain until one > matches. > >> Is it based upon negotiated cipher? > > No, generally the TLSA RR does not signal a particular public key > algorithm. With matching type Full(0) one could infer the algorithm > from public key, but in practice it is easier to just compare the > bits regardless. >
- [dane] dual use of TLSA RR shmick@riseup.net
- Re: [dane] dual use of TLSA RR Viktor Dukhovni
- Re: [dane] dual use of TLSA RR shmick@riseup.net
- Re: [dane] dual use of TLSA RR Viktor Dukhovni