IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Mark Andrews <marka@isc.org> Thu, 03 March 2011 11:40 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 263D13A69C3 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 03:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.5
X-Spam-Level:
X-Spam-Status: No, score=-2.5 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRQ8bP-V58+m for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 03:40:57 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 20D383A69BD for <dnsext@ietf.org>; Thu, 3 Mar 2011 03:40:57 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id CC8FCC9427; Thu, 3 Mar 2011 11:41:52 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 0F9AB216C31; Thu, 3 Mar 2011 11:41:52 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id A360FB98E2E; Thu, 3 Mar 2011 22:41:48 +1100 (EST)
To: Tony Finch <dot@dotat.at>
From: Mark Andrews <marka@isc.org>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local><alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk>
In-reply-to: Your message of "Thu, 03 Mar 2011 11:18:33 -0000." <alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk>
Date: Thu, 03 Mar 2011 22:41:48 +1100
Message-Id: <20110303114148.A360FB98E2E@drugs.dv.isc.org>
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 11:40:59 -0000

In message <alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk>, Tony F
inch writes:
> On Tue, 1 Mar 2011, Alex Bligh wrote:
> >
> > However in each case in the 'S' variant of the protocol, you need to
> > provide a separate certificate for the alias to the canonical name,
> > which means you can't automatically configure / synthesise the alias
> > config in the same way you can for the non-'S' variant. What MX / SRV
> > are allowing you to do for services that support them is hide this with
> > another level of indirection.
> 
> The situation with TLS and SMTP is a mess. Inter-domain SMTP with TLS does
> not work with certificate validation. There is no specification for how to
> validate the TLS certificate for an MX server, and it is not obvious what
> such a specification should say. In practice the vast majority of deployed
> MX TLS certificates cannot be validated, neither against the MX owner name
> nor against the MX target.

If you read RFC 821 the HELO response should be used to check that
you are talking to the machine you are expecting to.

   3.5.  OPENING AND CLOSING

      At the time the transmission channel is opened there is an
      exchange to ensure that the hosts are communicating with the hosts
      they think they are.

      The following two commands are used in transmission channel
      opening and closing:

         HELO <SP> <domain> <CRLF>

         QUIT <CRLF>

      In the HELO command the host sending the command identifies
      itself; the command may be interpreted as saying "Hello, I am
      <domain>".

The MX owner name never make sense.  The MX target is *suposed*
to be the (singular) cannonical name of the machine.  The fact that
people abuse this doesn't mean that the MX target shouldn't be used.

> http://www.imc.org/ietf-smtp/mail-archive/msg05366.html
> 
> Message submission (RFC 4409) doesn't use MX records and works well with
> certificate validation, just like POP and IMAP. Note that these three
> protocols use the DNS in the same way as HTTP (and FTP, and telnet, and
> ssh, etc.) so I don't think HTTP is an outlier as Niall said - it's just
> old school.
> 
> > In https that's hard as the cert is chosen before the GET line comes
> > through.
> 
> This is what TLS server name indication is for.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Plymouth, Biscay, FitzRoy: Northeast 5 to 7. Moderate or rough. Showers. Good
> .
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email