IETF Logo Mail Archive

Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)

Mark Andrews <marka@isc.org> Tue, 26 May 2015 02:19 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC2A1A8870; Mon, 25 May 2015 19:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hr37N7eqCi0F; Mon, 25 May 2015 19:19:22 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 505511A886C; Mon, 25 May 2015 19:19:22 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id EEE7634940D; Tue, 26 May 2015 02:19:18 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 2B902160053; Tue, 26 May 2015 02:19:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D522B160087; Tue, 26 May 2015 02:19:43 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XL_T9Lj4Dfjc; Tue, 26 May 2015 02:19:43 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 23274160053; Tue, 26 May 2015 02:19:43 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 90A7D2F51662; Tue, 26 May 2015 12:19:15 +1000 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20150524204121.31745.72546.idtracker@ietfa.amsl.com> <20150525020430.GK17272@mournblade.imrryr.org> <841AFD92-8615-43BF-98B4-48770FA72235@ogud.com> <20150526000338.D70AC2F50D87@rock.dv.isc.org> <alpine.LFD.2.11.1505252020130.5996@bofh.nohats.ca> <20150526012812.GP17272@mournblade.imrryr.org>
In-reply-to: Your message of "Tue, 26 May 2015 01:28:12 +0000." <20150526012812.GP17272@mournblade.imrryr.org>
Date: Tue, 26 May 2015 12:19:14 +1000
Message-Id: <20150526021915.90A7D2F51662@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/xk6mOGRsM6kEHp3s9XukLRjJ8lE>
Cc: draft-ietf-dane-smtp-with-dane@ietf.org
Subject: Re: [dane] Barry Leiba's Discuss on draft-ietf-dane-smtp-with-dane-17: (with DISCUSS and COMMENT)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 02:19:24 -0000

In message <20150526012812.GP17272@mournblade.imrryr.org>, Viktor Dukhovni writ
es:
> On Mon, May 25, 2015 at 08:31:23PM -0400, Paul Wouters wrote:
> 
> > >If the A/AAAA is insecure the TLSA lookup will be insecure due to
> > >there being not DNSSEC trusted path the TLSA node.
> > 
> > I don't understand this.
> 
> Let's make it specific.  If the zone containing
> 
>     smtp.example.com. IN A 192.0.2.1
> 
> is unsigned (whether because example.com is unsigned, or because
> "smtp.example.com" is itself a delegated 'insecure' zone), then
> it is exceedingly unlikely (a miracle) if somehow the associated
> TLSA RRset:
> 
>     _25._tcp.smtp.example.com. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb924
> 27ae41e4649b934ca495991b7852b855
> 
> is "secure".  For that to happen, there would have to be an explicit
> DNSSEC trust-anchor for either "_tcp.smtp.example.com" or
> "_25._tcp.example.com" configured in the validating resolver.
> 
> Since that's going to happen basically "never", the client just
> assumes the inevitable outcome, and avoids the lookup.
> 
> The canonical problem case is "nist.gov".  Their zone is signed
> and MX lookups yield a "secure" result:
> 
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52380
>     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>     nist.gov.               MX      0 nist-gov.mail.protection.outlook.com.
> 
> If address record lookups that lead to "insecure" answers:
> 
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2284
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>     nist-gov.mail.protection.outlook.com. A 207.46.163.247
>     nist-gov.mail.protection.outlook.com. A 207.46.163.170
>     nist-gov.mail.protection.outlook.com. A 207.46.163.138
> 
> are not used to infer that "TLSA" is also "insecure" and thus to
> suppress TLSA lookups, then TLSA lookups fail, and to avoid
> "downgrade" attacks no mail is delivered to "nist.gov".
> 
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60707
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>     ;_25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA

The servers for outlook.com also don't handle EDNS version negotiation
or unknown EDNS options.  ISC is intending to ship BIND 9.11.0 with
DNS COOKIES enabled by default.  There is going to be more pain
than just TLSA lookups once that happens.  See the following report
for all the EDNS compliance errors with the servers for outlook.com.

	https://ednscomp.isc.org/ednscomp/6840acd09c

Yes, Microsoft were informed months ago that their servers are not
EDNS compliant and that what we intend to ship servers that won't
work with the servers they are using.

Fixing these bugs should take less than 5 minutes for a developer
of the nameservers Microsoft are using.  They are trivial compliance
bugs.

Add:
	/* If the EDNS version is != 0 send BADVERS as the error code. */
	if (opt != NULL && ((opt->ttl >> 16) & 0xff) != 0) {
		send_error(rcode = BADVERS);
		return;
	}

Remove:

	if (opt != NULL && opt->rdlen != 0) {
		send_error(rcode = FORMERR);
		return;
	}

As unknown EDNS options are supposed to be ignored.

Reconfigure the firewall to ignore EDNS version in the opt record
on 3 of the servers.

Fixing the TLSA issue is also similar.  It should result in a NOERROR
no data response.  Stop sending NOTIMP on unknown types that are
not reserved for META queries.  The handling of non meta query types
was documented over a decade ago.  The servers are capable of sending
valid NOERROR no data responses which this mx response demonstrates.

; <<>> DiG 9.11.0pre-alpha <<>> +noedns mx _25._tcp.nist-gov.mail.protection.outlook.com @ns2-proddns.glbdns.o365filtering.com +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56970
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_25._tcp.nist-gov.mail.protection.outlook.com. IN MX

;; AUTHORITY SECTION:
mail.protection.outlook.com. 3600 IN	SOA	ns1-proddns.glbdns.o365filtering.com. hostmaster.o365filtering.com. 2013010801 3600 600 86400 3600

;; Query time: 188 msec
;; SERVER: 207.46.100.42#53(207.46.100.42)
;; WHEN: Tue May 26 12:13:19 EST 2015
;; MSG SIZE  rcvd: 190

It's not like sending the wrong response code is a new issue.  We
have CERT advisories issued in the past for just such misbehaviour
(NXDOMAIN in response to AAAA queries).

Is it going to require someone writing up a CERT advisary for load
balancer vendors to fix their broken servers?

> Such failures would make deployment of DANE TLS for SMTP unattractive
> to MTA administrators.  The proposed language (implemented in
> Postfix and Exim) avoids this problem.  We've discussed this before.
> 
> > Wether the A/AAA is spoofed or someone
> > with sufficient power to redirect routing of that range to them
> > is the same thing.
> 
> The A/AAAA lookups serve to discover whether the zone with the
> server name is signed.  We don't actually care whether the address
> records are secure.  We could query for any other record that
> "bare-bones" nameservers don't mishandle, but since the A
> records will be needed anyway, we use those.
> 
> > I don't like that because I would like to be able to publish TLSA
> > records in my nohats.ca zone pointing to some mail service I use
> > that uses certificates but are not themselves dnssec signed. eg:
> > 
> > nohats.ca. IN MX 5 mail.insecure-bigmail.com.
> > nohats.ca. IN TLSA <blob>
> 
> This does you no good anyway, because queries for TLSA records with
> MX and SRV services are made for the "_<port>._tcp.<target host>"
> NOT "_<port>._tcp.<service domain>".  Nor are you particulary likely
> to reliably publish accurate TLSA records for a server operated by
> a third party.  Inevitably they'll make changes on their end, and
> your mail will stop.  So this is not an option.
> 
> > As for insecure TLSA records themselves, while I would prefer we
> > would use them in a better-than-nothing sense, I am more fearful of
> > implementations just not bothering or forgetting to check for DNSSEC
> > and blindly trusting these. So I think it is more clear to just say
> > ignore insecure TLSA records.
> 
> I think we agree on that.
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email