Re: [dane] WGLC: DANE-SRV & DANE-SMTP
Olafur Gudmundsson <ogud@ogud.com> Fri, 20 February 2015 22:13 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81DEF1A891A for <dane@ietfa.amsl.com>; Fri, 20 Feb 2015 14:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-ATKafpc6GS for <dane@ietfa.amsl.com>; Fri, 20 Feb 2015 14:13:03 -0800 (PST)
Received: from smtp92.ord1c.emailsrvr.com (smtp92.ord1c.emailsrvr.com [108.166.43.92]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43FE01A8924 for <dane@ietf.org>; Fri, 20 Feb 2015 14:13:03 -0800 (PST)
Received: from smtp12.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp12.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id BC9BF38077A for <dane@ietf.org>; Fri, 20 Feb 2015 17:13:02 -0500 (EST)
Received: by smtp12.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 46C4A380887 for <dane@ietf.org>; Fri, 20 Feb 2015 17:13:02 -0500 (EST)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-74-96-189-180.washdc.fios.verizon.net [74.96.189.180]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.4.2); Fri, 20 Feb 2015 22:13:02 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <20150220220921.GH1260@mournblade.imrryr.org>
Date: Fri, 20 Feb 2015 17:13:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <98BDCF0E-88CD-4392-9194-DABB8AA62532@ogud.com>
References: <20150220220921.GH1260@mournblade.imrryr.org>
To: dane@ietf.org
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/y7mIg2WX7TX5rfuQVjQYAlA6emw>
Subject: Re: [dane] WGLC: DANE-SRV & DANE-SMTP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 22:13:10 -0000
Dear colleagues please take a few minutes to review this document if you have not done so yet. This is a critical document from the working group and the chairs rather want the WG to find any issues then in IETF last call. We plan to start a WGLC on the related OPS document RSN and will live with cross references between the documents as they will all be published at the same time Olafur > On Feb 20, 2015, at 5:09 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Tue, Feb 17, 2015 at 05:41:12PM -0500, Olafur Gudmundsson wrote: > >> The SRV document got number of good reviews and editors have updated the >> document to reflect the comments received, version -11 should be final WG >> version and we plan to advance it to the IESG. > > Great, thanks! > >> SMTP document did not get as many reviews, only 3 that I can see Paul >> Hoffman (no comments), Dan York (not a thorough review) and Sean Turner, >> who had number of comments. > > Perhaps some folks [hint, hint] can return the favour and review > the SMTP draft in full. :-) > >> The github repository contains a version of the document that addresses >> all the comments received. Editors please post ASAP. > > A -14 version has been pushed. I've not yet received any feedback on > the possibility of extending the operational considerations section > based on the last few months of operational experience. Please > advise... > > On Thu, Jan 08, 2015 at 01:15:29AM +0000, Viktor Dukhovni wrote: > >> [...] >> >> I did ask a question during LC: >> >> http://www.ietf.org/mail-archive/web/dane/current/msg07159.html >> >> ... >> >> One deployment pitfall discovered in recent interoperability tests >> is that some domains have cleartext-only anti-spam proxies in front >> of their MTA, with the proxies only allowing connections to the >> real MTA once the SMTP client passes a grey-listing check (this >> was observed with "spamd" as the proxy, but any "selective access" >> to TLS can be similarly problematic). >> >> If the receiving domain publishes TLSA records, this creates a >> catch-22 with DANE-aware client MTAs. The DANE client never begins >> the first mail transaction, because the proxy does not offer >> STARTTLS, (the proxy is a receiving system deployed downgrade to >> cleartext MiTM in front of the real MTA). >> >> The short-term solution for such domains is to NOT publish TLSA >> RRs for port 25. Longer-term the anti-spam proxy should be upgraded >> to support STARTTLS. For example, the Postfix "postscreen" service, >> which has functionality similar to "spamd", supports STARTTLS so that >> grey-listing does not amount to a similar downgrade attack. >> >> I'd like to add some language about avoiding this problem in the >> operational considerations section of the smtp-with-dane draft. >> Any objections? >> >> Additional operational considerations might include not forgetting >> to update TLSA RRs for *all* the names under which a server might >> be known when doing key rotation. This is a problem particularly >> when a single wild-card certificate is deployed on all the MX hosts, >> and replaced concurrently on them all, creating an immediate outage >> for any domains that use variant MX host names (for flexibility of >> later hosting some domains separately). With DANE one should >> strongly consider per-server certificates to avoid synchronized >> multi-MTA outages. >> >> And lastly, by far the most common problems are with DNSSEC. A >> mixture of failure to perform timely re-signing and at present lots >> of domains with nameservers that have non-working Denial of Existence. >> I don't have a comprehensive list of software that is deficient in >> this manner, but it seems that some older versions of PowerDNS >> botch DoE in at least some configurations. Similar issues reportedly >> with djbdns DNSSEC patches. A few domains have firewalls that >> block TLSA queries, one blocked these only for IPv4 clients, with >> IPv6 clients not filtered, that can create difficult to diagnose >> problems. >> >> So I am looking for guidance on how much *current* operational >> experience to include in the draft that may ultimately become >> irrelevant as the infrastructure improves, but may be very useful >> to get us past the initial deployment hurdles. If we don't get >> early adopters past the initial problems, the long-term obsolescence >> of the issues might remain forever in the future. >> >> Any feedback on that would be appreciated, plus guidance on *when* to >> make any such changes. > > -- > Viktor. > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane
- [dane] Adoption data-point and operational consid… Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV & DANE-SMTP Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV & DANE-SMTP Olafur Gudmundsson
- Re: [dane] WGLC: DANE-SRV & DANE-SMTP Brian Dickson
- Re: [dane] WGLC: DANE-SMTP (final operational gui… Viktor Dukhovni
- Re: [dane] WGLC: DANE-SMTP (final operational gui… James Cloos
- [dane] OPS? (was: WGLC: DANE-SRV & DANE-SMTP) Viktor Dukhovni