IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Tony Finch <dot@dotat.at> Thu, 03 March 2011 19:38 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98B083A69F4 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 11:38:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.484
X-Spam-Level:
X-Spam-Status: No, score=-6.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quBP4XR8tPnU for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 11:38:19 -0800 (PST)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) by core3.amsl.com (Postfix) with ESMTP id 235C33A690F for <dnsext@ietf.org>; Thu, 3 Mar 2011 11:38:19 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:59136) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1PvEMw-0006JK-DP (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 19:39:26 +0000
Received: from fanf2 (helo=localhost) by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1PvEMw-0001vP-4e (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 19:39:26 +0000
Date: Thu, 03 Mar 2011 19:39:26 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20110303144600.11178B9E772@drugs.dv.isc.org>
Message-ID: <alpine.LSU.2.00.1103031923050.14985@hermes-1.csi.cam.ac.uk>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local><alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk> <20110303114148.A360FB98E2E@drugs.dv.isc.org> <alpine.LSU.2.00.1103031148130.14985@hermes-1.csi.cam.ac.uk> <20110303133541.C19B6B9E307@drugs.dv.isc.org> <alpine.LSU.2.00.1103031337570.14985@hermes-1.csi.cam.ac.uk> <20110303144600.11178B9E772@drugs.dv.isc.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 19:38:20 -0000

On Fri, 4 Mar 2011, Mark Andrews wrote:
>
> It makes all the difference in the world.  MX records DO NOT AND NEVER
> HAVE DEFINED FINAL DELIVER they have only ever defined the NEXT HOP.

MX record define the inter-domain hop, which is where the mail crosses a
trust boundary, and where authentication is required.

The other store-and-forward hops (from submission to outgoing border
relay; and from incoming border MX to final delivery or to alias
redirector) are within trust boundaries and so they are easier to
authenticate.

> > TLS predates DNSSEC.
>
> Yes and it did not work securely because there was no way to validate
> the DNS responses.

TLS doesn't try to validate the DNS responses, it verifies that you have
successfully connected to a server that can act for the domain you wanted
to reach. If TLS validation succeeds the DNS lookup must necessarily have
given you the right result.

It isn't possible to use DNSSEC to secure a TCP connection to a server
because it doesn't verify that no-one has hijacked the IP address. I don't
know why you keep bringing it up.

Note that these issues are not specific to SMTP: XMPP has similar
difficulties with s2s authentication.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Sole, Lundy, Fastnet: Mainly northeasterly 4 or 5, occasionally 6 in Sole.
Slight or moderate, occasionally rough in Sole and Fastnet. Mainly fair.
Moderate or good.

v2.23.0 | Report a Bug | By Email