IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Tony Finch <dot@dotat.at> Thu, 03 March 2011 12:23 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6C8928C0E0 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 04:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.181
X-Spam-Level:
X-Spam-Status: No, score=-6.181 tagged_above=-999 required=5 tests=[AWL=-0.182, BAYES_00=-2.599, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qklop-UxKXB8 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 04:23:31 -0800 (PST)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by core3.amsl.com (Postfix) with ESMTP id 184683A67A6 for <dnsext@ietf.org>; Thu, 3 Mar 2011 04:23:31 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:52857) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1Pv7a9-0003MD-YJ (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 12:24:37 +0000
Received: from fanf2 (helo=localhost) by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1Pv7a9-0000KL-K6 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 03 Mar 2011 12:24:37 +0000
Date: Thu, 03 Mar 2011 12:24:37 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20110303114148.A360FB98E2E@drugs.dv.isc.org>
Message-ID: <alpine.LSU.2.00.1103031148130.14985@hermes-1.csi.cam.ac.uk>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local><alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk> <20110303114148.A360FB98E2E@drugs.dv.isc.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 12:23:33 -0000

On Thu, 3 Mar 2011, Mark Andrews wrote:
> Tony Finch writes:
> >
> > The situation with TLS and SMTP is a mess. Inter-domain SMTP with TLS does
> > not work with certificate validation. There is no specification for how to
> > validate the TLS certificate for an MX server, and it is not obvious what
> > such a specification should say. In practice the vast majority of deployed
> > MX TLS certificates cannot be validated, neither against the MX owner name
> > nor against the MX target.
>
> If you read RFC 821 the HELO response should be used to check that
> you are talking to the machine you are expecting to.

RFC 821 is thorougly obsolete. In particular the canonicalization
requirements that existed in the 1980s were relaxed in the 1990s and no
longer apply.

In any case, the server's host name indicators are useless for secure
server authentication, which is the whole point of TLS.

If I am sending mail to an address at dotat.at, I need to securely verify
that the server I am talking to is supposed to receive mail for dotat.at.
So the TLS certificate must authenticate the MX owner name, dotat.at, not
the MX target mx.cam.ac.uk, nor the virtual service instance name
ppsw-mx-e.csi.cam.ac.uk nor the physical service machine name
ppsw-51.csi.cam.ac.uk. If you authenticate the MX target name or the
server's claimed canonical host name, you are open to attack.

Note that SMTP is able to use one transaction to send a message with
multiple recipients at different domains hosted on the same server. So the
server needs to be able to present a certificate authenticating all of the
mail domains it hosts. The server can't use TLS SNI to select a
certificate dynamically because SNI only allows one name of each type
which is incompatible with SMTP's multi-domain transaction support. In
fact, if the client uses persistent connections it probably does not know
at the time it negotiates TLS which mail domains it might encounter that
deliver to the server.

Now perhaps this mess - both the protocol mess and the deployment mess -
can be fixed by using the firmer foundations that DNSSEC provides, but
that requires protocol development.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fisher: Westerly or northwesterly 3 or 4, occasionally 5, increasing 6 later
in north. Mainly moderate, occasionally rough later. Fog patches for a time.
Moderate or good, occasionally very poor.

v2.23.0 | Report a Bug | By Email