Re: [DNSOP] RFC 8482 (the ANY -> HINFO hack) and DNAME

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 18 November 2019 20:56 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A02E12024E for <dnsop@ietfa.amsl.com>; Mon, 18 Nov 2019 12:56:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LotQWSSa3Ni9 for <dnsop@ietfa.amsl.com>; Mon, 18 Nov 2019 12:56:06 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB7F120128 for <dnsop@ietf.org>; Mon, 18 Nov 2019 12:56:06 -0800 (PST)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id D901B3304A5 for <dnsop@ietf.org>; Mon, 18 Nov 2019 15:56:05 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <98d63176-a61f-4ecc-92d1-887ef2189eeb@redbarn.org>
Date: Mon, 18 Nov 2019 15:56:04 -0500
Content-Transfer-Encoding: 7bit
Reply-To: dnsop@ietf.org
Message-Id: <B935C153-B91D-4683-84B6-78F8DFBEA66E@dukhovni.org>
References: <20191116144152.0AB3DF61257@ary.iecc.com> <069FA704-BC4C-4777-B812-E161993F22AB@dukhovni.org> <A3FED43A-8C8B-432D-A1D1-6710B07643D0@isc.org> <BCEB457E-98BB-4B5E-82EB-B552BB8C7DD6@dukhovni.org> <98d63176-a61f-4ecc-92d1-887ef2189eeb@redbarn.org>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Agi3Yvv39tQIIIwwIDJOAq-ICQI>
Subject: Re: [DNSOP] RFC 8482 (the ANY -> HINFO hack) and DNAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 20:56:11 -0000

> On Nov 18, 2019, at 1:00 PM, Paul Vixie <paul@redbarn.org> wrote:
> 
> A correct implementation of SMTP could pick up the A and AAAA from
> additional data without making any additional queries.

Some resolvers return "minimal" answers and don't include additional
records.  MTA's can't rely on getting addresses in additional records,
even if the name is canonical.  If the authoritative server send the
additionals along, then the (local by BCP) resolver the MTA is using
will already have the data cached, and the followup query is fast.

> It could also ignore CNAME records in the A/AAAA response and declare
> that the A/AAAA owner was wrong.

Yes, an implementation that does not support CNAMEs could do that.
My point was that in practice MTAs do support CNAMEs, and they are
deployed for real domains, and work well enough for the operators
to continue to use them.

> We can't break working behaviour no matter what the statistics show.

The MX -> CNAME domains already exist, and receive email.  The
mainstream MTAs don't object, and so at this point the thing that's
somewhat of sync with practical reality is the RFC.  We can try to
insist that the RFC is right and world is wrong, but I've moved on.

> A draft that said clients can expect this would also have to say
> servers should not expect clients to expect this.

There could be such a draft, but for now at least the major MTAs just
accept CNAMEs informally and get the mail delivered.

Yes, it helps to not get too creative.  Just today I helped an
operator squash an ESMTP STARTTLS advertisement failure, which
broke inbound email delivery from one large DANE-enabled sender.
The problem was a odd-looking (but mostly benign) EHLO response
anomaly:

	250-"HELO OK."
	250-...
	250-STARTTLS
	...

instead of:

	250-fqdn.example
	250-...
	250-STARTTLS
	...

This was find for most senders, but not all.  One particular
large sender's ESMTP parser seems to choke on the double-quoted
"HELO OK.", and never sees the STARTTLS, and with DANE TLSA
published, declines to send in the clear.

At the end of the day, operating outside the RFC carries some risk,
and one should not be cavalier in deploying creative deviations from
the spec.  However, post-MX CNAME indirection is seen to useful by
some to stick to the spec, and since MTAs tolerate this, it is used
in the wild.

-- 
	Viktor.