IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Tony Finch <dot@dotat.at> Thu, 03 March 2011 11:17 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E9353A6996 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 03:17:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.466
X-Spam-Level:
X-Spam-Status: No, score=-6.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unu9THLl8X06 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 03:17:30 -0800 (PST)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) by core3.amsl.com (Postfix) with ESMTP id BEA1C3A677E for <dnsext@ietf.org>; Thu, 3 Mar 2011 03:17:27 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:32802) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1Pv6YD-0006XO-Eq (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 11:18:33 +0000
Received: from fanf2 (helo=localhost) by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1Pv6YD-00047k-J9 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 11:18:33 +0000
Date: Thu, 03 Mar 2011 11:18:33 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Alex Bligh <alex@alex.org.uk>
In-Reply-To: <302DAD77E927757D3DEA05DF@nimrod.local>
Message-ID: <alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 11:17:32 -0000

On Tue, 1 Mar 2011, Alex Bligh wrote:
>
> However in each case in the 'S' variant of the protocol, you need to
> provide a separate certificate for the alias to the canonical name,
> which means you can't automatically configure / synthesise the alias
> config in the same way you can for the non-'S' variant. What MX / SRV
> are allowing you to do for services that support them is hide this with
> another level of indirection.

The situation with TLS and SMTP is a mess. Inter-domain SMTP with TLS does
not work with certificate validation. There is no specification for how to
validate the TLS certificate for an MX server, and it is not obvious what
such a specification should say. In practice the vast majority of deployed
MX TLS certificates cannot be validated, neither against the MX owner name
nor against the MX target.

http://www.imc.org/ietf-smtp/mail-archive/msg05366.html

Message submission (RFC 4409) doesn't use MX records and works well with
certificate validation, just like POP and IMAP. Note that these three
protocols use the DNS in the same way as HTTP (and FTP, and telnet, and
ssh, etc.) so I don't think HTTP is an outlier as Niall said - it's just
old school.

> In https that's hard as the cert is chosen before the GET line comes
> through.

This is what TLS server name indication is for.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Plymouth, Biscay, FitzRoy: Northeast 5 to 7. Moderate or rough. Showers. Good.

v2.23.0 | Report a Bug | By Email