Re: [DNSOP] Prefixed name spaces and DANE client TLSA

Shane Kerr <shane@time-travellers.org> Wed, 13 January 2016 08:51 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391BB1AC42D for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 00:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xiWg9GsGp4k for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 00:51:56 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A6CC1AC42E for <dnsop@ietf.org>; Wed, 13 Jan 2016 00:51:55 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aJH9h-0006tX-CJ; Wed, 13 Jan 2016 08:51:49 +0000
Date: Wed, 13 Jan 2016 09:51:47 +0100
From: Shane Kerr <shane@time-travellers.org>
To: George Michaelson <ggm@algebras.org>
Message-ID: <20160113095147.609a2b21@pallas.home.time-travellers.org>
In-Reply-To: <CAKr6gn2-NqnWtaHRsrOGS-5xs-h6K3Swd----_VTL8vHpwXF7Q@mail.gmail.com>
References: <20160113055505.54822.qmail@ary.lan> <CAKr6gn2-NqnWtaHRsrOGS-5xs-h6K3Swd----_VTL8vHpwXF7Q@mail.gmail.com>
X-Mailer: Claws Mail 3.13.1 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/mupRIOH_0bbQc-3Lb5R132eNoSI>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Prefixed name spaces and DANE client TLSA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 08:51:58 -0000

George,

I think you are correct in highlighting the role vs. protocol
difference.

Looking at it like that, John's idea makes sense, although probably it
should be inverted, so:

_client._smtp._tcp.outbound.example.com 

This way case, it will happily support protocols that are not
client/server (for example, one with more roles).

It's not clear to me that this is actually cleaner than:

_smtp-client._tcp.outbound.example.com

Although it somehow feels better because the dots nicely separate the
semantics encoded in the name.

On the DNS side, I don't think any of the proposed solutions would
be better or worse than any other. I don't think any are particularly
complicated, or make verification more difficult. But it wouldn't be
the first time that people argue for a particular approach to
a protocol because it was the first thing they thought of. ;)

Cheers,

--
Shane

At 2016-01-13 16:59:33 +1000
George Michaelson <ggm@algebras.org> wrote:

> I think the mapping of SMTP (a protocol, an over-the wire framing and
> dialogue about exchanging mail) has been crossed (crossing-the-beam
> crossed) with a ROLE. a client can be an SMTP speaker, and a
> forwarder/delivery agent can be an SMTP speaker. They aren't performing the
> sale role.
> 
> So does DANE want to identify the ROLE being performed or the protocol
> being used to do it? How would DANE feel if instead of SMTP it said
> DECNet-Mail?
> 
> The sub-domain thing, is that a real zone-cut? Are there detectable zone
> boundaries? Or is this mapping dot-separated elements but without implying
> a zone-cut?
> 
> -G
> 
> On Wed, Jan 13, 2016 at 3:55 PM, John Levine <johnl@taugh.com> wrote:
> 
> > I'm having what seems to me a very peculiar argument over in DANE.
> >
> > There's a draft called draft-huque-dane-client-cert-02 about
> > validating SSL certificates for client hosts.  The idea, which seems
> > reasonable, is that if an SMTP or other client presents a TLS
> > certificate claiming that it's outbound.example.com, the server it's
> > talking to can look up a TLSA record to see if the certificate is
> > valid, analogously to the way a client looks up the server's TLSA.
> >
> > What's peculiar is the names.  The previous proposal was to look up a
> > TLSA at _smtp.outbound.example.com, then somone noted that _smtp is
> > for servers, so they want to look up the newly invented name
> > _smtp-client.outbound.example.com.  If you have a client for some
> > other service, you make up a name.  (Read the draft if this seems like
> > an implausible summary.)
> >
> > I suggested they could avoid a lot of future name collision pain by
> > registering "client" as a pseudo_service name, and then looking up
> > _smtp._client._tcp.outbound.example.com.  If your client is using
> > another service, you use the service's name from the existing registry
> > of services instead of _smtp, e.g., _imaps._client.tcp.myhost.example.
> >
> > The DANE crowd thinks this is a terrible idea, it's too complicated,
> > makes the SRV-ID verification harder, name collisions won't happen
> > and/or are easily solved.  Am I missing something, or are they?
> >
> > Signed,
> > Confused
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >