Re: [DNSOP] Prefixed name spaces and DANE client TLSA
Shane Kerr <shane@time-travellers.org> Wed, 13 January 2016 08:51 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391BB1AC42D for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 00:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xiWg9GsGp4k for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 00:51:56 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A6CC1AC42E for <dnsop@ietf.org>; Wed, 13 Jan 2016 00:51:55 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aJH9h-0006tX-CJ; Wed, 13 Jan 2016 08:51:49 +0000
Date: Wed, 13 Jan 2016 09:51:47 +0100
From: Shane Kerr <shane@time-travellers.org>
To: George Michaelson <ggm@algebras.org>
Message-ID: <20160113095147.609a2b21@pallas.home.time-travellers.org>
In-Reply-To: <CAKr6gn2-NqnWtaHRsrOGS-5xs-h6K3Swd----_VTL8vHpwXF7Q@mail.gmail.com>
References: <20160113055505.54822.qmail@ary.lan> <CAKr6gn2-NqnWtaHRsrOGS-5xs-h6K3Swd----_VTL8vHpwXF7Q@mail.gmail.com>
X-Mailer: Claws Mail 3.13.1 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/mupRIOH_0bbQc-3Lb5R132eNoSI>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Prefixed name spaces and DANE client TLSA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 08:51:58 -0000
George, I think you are correct in highlighting the role vs. protocol difference. Looking at it like that, John's idea makes sense, although probably it should be inverted, so: _client._smtp._tcp.outbound.example.com This way case, it will happily support protocols that are not client/server (for example, one with more roles). It's not clear to me that this is actually cleaner than: _smtp-client._tcp.outbound.example.com Although it somehow feels better because the dots nicely separate the semantics encoded in the name. On the DNS side, I don't think any of the proposed solutions would be better or worse than any other. I don't think any are particularly complicated, or make verification more difficult. But it wouldn't be the first time that people argue for a particular approach to a protocol because it was the first thing they thought of. ;) Cheers, -- Shane At 2016-01-13 16:59:33 +1000 George Michaelson <ggm@algebras.org> wrote: > I think the mapping of SMTP (a protocol, an over-the wire framing and > dialogue about exchanging mail) has been crossed (crossing-the-beam > crossed) with a ROLE. a client can be an SMTP speaker, and a > forwarder/delivery agent can be an SMTP speaker. They aren't performing the > sale role. > > So does DANE want to identify the ROLE being performed or the protocol > being used to do it? How would DANE feel if instead of SMTP it said > DECNet-Mail? > > The sub-domain thing, is that a real zone-cut? Are there detectable zone > boundaries? Or is this mapping dot-separated elements but without implying > a zone-cut? > > -G > > On Wed, Jan 13, 2016 at 3:55 PM, John Levine <johnl@taugh.com> wrote: > > > I'm having what seems to me a very peculiar argument over in DANE. > > > > There's a draft called draft-huque-dane-client-cert-02 about > > validating SSL certificates for client hosts. The idea, which seems > > reasonable, is that if an SMTP or other client presents a TLS > > certificate claiming that it's outbound.example.com, the server it's > > talking to can look up a TLSA record to see if the certificate is > > valid, analogously to the way a client looks up the server's TLSA. > > > > What's peculiar is the names. The previous proposal was to look up a > > TLSA at _smtp.outbound.example.com, then somone noted that _smtp is > > for servers, so they want to look up the newly invented name > > _smtp-client.outbound.example.com. If you have a client for some > > other service, you make up a name. (Read the draft if this seems like > > an implausible summary.) > > > > I suggested they could avoid a lot of future name collision pain by > > registering "client" as a pseudo_service name, and then looking up > > _smtp._client._tcp.outbound.example.com. If your client is using > > another service, you use the service's name from the existing registry > > of services instead of _smtp, e.g., _imaps._client.tcp.myhost.example. > > > > The DANE crowd thinks this is a terrible idea, it's too complicated, > > makes the SRV-ID verification harder, name collisions won't happen > > and/or are easily solved. Am I missing something, or are they? > > > > Signed, > > Confused > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > >
- Re: [DNSOP] Prefixed name spaces and DANE client … George Michaelson
- [DNSOP] Prefixed name spaces and DANE client TLSA John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … Tony Finch
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … Tim Wicinski
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … Rob Austein
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- [DNSOP] Client/server vs. other models (was: Pref… Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … James Cloos
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine