IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Mark Andrews <marka@isc.org> Thu, 03 March 2011 14:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE0CD3A68AD for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 06:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmr-ePn7TzSg for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 06:45:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 9179F3A67B2 for <dnsext@ietf.org>; Thu, 3 Mar 2011 06:45:05 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 0C2CAC9423; Thu, 3 Mar 2011 14:46:03 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 59218216C1E; Thu, 3 Mar 2011 14:46:02 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 11178B9E772; Fri, 4 Mar 2011 01:46:00 +1100 (EST)
To: Tony Finch <dot@dotat.at>
From: Mark Andrews <marka@isc.org>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local><alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk> <20110303114148.A360FB98E2E@drugs.dv.isc.org> <alpine.LSU.2.00.1103031148130.14985@hermes-1.csi.cam.ac.uk> <20110303133541.C19B6B9E307@drugs.dv.isc.org> <alpine.LSU.2.00.1103031337570.14985@hermes-1.csi.cam.ac.uk>
In-reply-to: Your message of "Thu, 03 Mar 2011 13:56:39 -0000." <alpine.LSU.2.00.1103031337570.14985@hermes-1.csi.cam.ac.uk>
Date: Fri, 04 Mar 2011 01:45:59 +1100
Message-Id: <20110303144600.11178B9E772@drugs.dv.isc.org>
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 14:45:06 -0000

In message <alpine.LSU.2.00.1103031337570.14985@hermes-1.csi.cam.ac.uk>, Tony F
inch writes:
> On Fri, 4 Mar 2011, Mark Andrews wrote:
> >
> > No.  SMTP is store and forward.
> 
> That makes no difference.

It makes all the difference in the world.  MX records DO NOT AND NEVER
HAVE DEFINED FINAL DELIVER they have only ever defined the NEXT HOP.
 
> Most store-and-forward hops in SMTP are within an organization, and in
> that situation mail routing is not based on the MX records of the
> recipients' mail domains. (cf. message submission) The organization can
> secure its mail transmission using its knowledge of its own setup.
> 
> The important and difficult case is inter-domain SMTP which does rely on
> MX records and cannot rely on prior arrangements for authentication.

And that is done by publishing MX records (secure with DNSSEC) or in their
absence (secure with DNSSEC) constructing a MX record from the A/AAAA records
(secure with DNSSEC).
 
> > The MX records (cryptographically verifiable with DNSSEC) say that you
> > should be talking to mx.cam.ac.uk and if you don't get a TLS connection
> > that says you are talking to that machine you should drop the SMTP
> > connection.
> 
> TLS predates DNSSEC.

Yes and it did not work securely because there was no way to validate
the DNS responses.

> It security model assumes DNSSEC does not exist.

The security model assumed the DNS responses were good.  We can now
prove they are good.

> Therefore TLS must authenticate the domain seen by the end user. It makes
> no sense to authenticate the MX target hostname because that makes you
> vulnerable to spoofing.

Nope.  Flawed logic here.

> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Irish Sea: Variable 3 or 4. Slight. Fog patches. Moderate, occasionally very
> poor.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email