Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
Phil Pennock <ietf-smtp-phil@spodhuis.org> Tue, 03 March 2020 21:06 UTC
Return-Path: <ietf-smtp-phil@spodhuis.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C1D43A0995 for <ietf-smtp@ietfa.amsl.com>; Tue, 3 Mar 2020 13:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=D91Dv7vn; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=Db/psbqS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9iB9esTUyrV7 for <ietf-smtp@ietfa.amsl.com>; Tue, 3 Mar 2020 13:06:11 -0800 (PST)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D4563A0991 for <ietf-smtp@ietf.org>; Tue, 3 Mar 2020 13:06:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201911; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dbKJ+Hc7ltGP1yJkwy5rG3TVlUXpy7WUQnbkuoE7XNE=; b=D91Dv7vnnQZuHcldz4rJkUGD4j ubyxpAaWio5x1zBasfLWD4Zrrn6X8+n6kuOZL4uQDtYXD5Uxgb5raHFri/C/yvTtFgInvya+BfVM8 3EpumhI6T2WzQjieKlkSgGHzkNMQ2d44qQALee3fTOYhZIZyOo6Q7z0OQrm2ToYntAl4qv6QZSqk/ 9edCiFa0uxTUAhz0dTP7ncg/UoQa9yFaiVdzvoHSc6k0BMHNFzzobtpBZaE93nN10mVBqZAIUUNkg 63p+X2ZpaeZoh80tH3E1rIk3AHt0k0+fcEjurYESrkxPgrvxefiMLJW9+/+3CHDmhSSgjTz91cB4c kfJN2EKQ==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201911e2; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dbKJ+Hc7ltGP1yJkwy5rG3TVlUXpy7WUQnbkuoE7XNE=; b=Db/psbqS5RLc7mH+P26t+ggwbo hNkEHHGW9y2E959LqgeOnt0f37+rIeBhGxUte2WOytLsuTKb5k4wAADvrhCw==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) id 1j9Eju-0006AS-NJ; Tue, 03 Mar 2020 21:06:06 +0000
Date: Tue, 03 Mar 2020 16:06:04 -0500
From: Phil Pennock <ietf-smtp-phil@spodhuis.org>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: ietf-smtp <ietf-smtp@ietf.org>
Message-ID: <20200303210604.GA18965@fullerene>
Mail-Followup-To: Дилян Палаузов <dilyan.palauzov@aegee.org>, ietf-smtp <ietf-smtp@ietf.org>
References: <20200303T122138.2914587387366102844.noreply@letsencrypt.org> <60c385bc383a7cdea8b72aab454e2bb9e672b00c.camel@aegee.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <60c385bc383a7cdea8b72aab454e2bb9e672b00c.camel@aegee.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/7aonSK7elhbxkbtO_2alBrH5T5Q>
Subject: Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 21:06:13 -0000
On 2020-03-03 at 13:50 +0000, Дилян Палаузов wrote: > on a very short notice, Let’s Encrypt revokes its certificates with the message below. This effectively means to start > and complete TLSA/DANE/DNSSEC certificate rollover within 24h. > > Is this possible in general, when the DNS TTL on its own is 24h? Do I understand something wrong, stating that this > mass revokation is just bad for DANE+SMTP? > > What is the right way to mass revoke certificates involved in DANE? Make sure that the CA certificate is sent on the TLS connection too. Pin the registrar cert via its public key, not just your own cert. Eg: ; For Let's Encrypt, where they have multiple signing paths, we use ; public-key hashing, not certificate hashing. ; This avoids breakage given, eg, IdenTrust vs other authority paths. _letsencrypt-tlsa IN TLSA ( 02 01 01 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ) ; X1 & X3 _letsencrypt-tlsa IN TLSA ( 02 01 01 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b ) ; X2 & X4 and then CNAME to that for each service affected. I really am not a fan of DANE-EE (Usage 3) certs. It always seems so fragile, to be doing DNS timeout dances and pre-issuing replacement certs, and relying upon others not using resolvers which cache for too long. DANE-TA (Usage 2) identifying the public key of the Certificate Authority (so that their re-issuing the cert doesn't break you, eg Let's Encrypt X1 vs X3) is a much more robust setup IMO. Usage: DANE-TA(2) Selector: SPKI(1) Matching Type: SHA2-256(1) I use a single TLSA record for each "group of CAs which might be valid here" and then CNAMEs for each service using it. Note that Let's Encrypt have a second standby CA ready to use, X4, to go with their active X3. Publish the fingerprints of the public keys of both X3 and X4. -Phil
- [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew th… Дилян Палаузов
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Alessandro Vesely
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Russ Allbery
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Phil Pennock
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… John Levine
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Viktor Dukhovni
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Phil Pennock
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Viktor Dukhovni