Re: [ietf-smtp] Followup to your reply on the IETF-SMTP mailing list

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 25 May 2021 16:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3669F3A145B for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 09:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbOuPWIxrdPP for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 09:35:37 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81FC3A145A for <ietf-smtp@ietf.org>; Tue, 25 May 2021 09:35:36 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 8E13BD75B2; Tue, 25 May 2021 12:35:35 -0400 (EDT)
Date: Tue, 25 May 2021 12:35:35 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf-smtp@ietf.org
Message-ID: <YK0nV6iB3rWwWWba@straasha.imrryr.org>
Reply-To: ietf-smtp@ietf.org
References: <A697C6EE-4D8C-4C92-92B7-6AD5FA177625@ef1p.com> <f4408787-915a-34e9-86d9-f9dc419c3a8c@tana.it> <DBBAE5C4-2F30-4CAF-BC68-4823868796B0@ef1p.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <DBBAE5C4-2F30-4CAF-BC68-4823868796B0@ef1p.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/vC3b1Q6_Elqe2pA5Eq-s6evXP8o>
Subject: Re: [ietf-smtp] Followup to your reply on the IETF-SMTP mailing list
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 16:35:42 -0000

On Tue, May 25, 2021 at 12:40:01PM +0200, Kaspar Etter wrote:

> On 24 May 2021, at 12:43, Alessandro Vesely <vesely@tana.it> wrote:

> >> And the beauty of TLSA records is that the MX operator maintains them. All I
> >> have to do as a domain owner is to deploy/enable DNSSEC on my domain.
> > 
> > You're right.  I assumed the TLSA record was not a CNAME.  I guess you mean:
> > 
> > _25._tcp.my-domain.example. IN CNAME _25._tcp.MX-operator.example.
> 
> No, I meant that DANE-aware ESMTP clients first resolve the MX
> indirection and look for TLSA records on the “target/MX” domain.

Indeed, e.g. this is how it works form ~1.2 million domains that are
MX-hosted by one.com MX hosts.  The hosted domain just needs to be
DNSSEC-signed and to point its MX records at the provider.  The DANE
TLSA RRs and all responsibility for managing them are on the MX host side:

    simonvikstrom.se. IN MX 10 mx1.pub.mailpod7-cph3.one.com. ; NoError AD=1
    simonvikstrom.se. IN MX 10 mx2.pub.mailpod7-cph3.one.com. ; NoError AD=1
    simonvikstrom.se. IN MX 10 mx3.pub.mailpod7-cph3.one.com. ; NoError AD=1
    ;
    mx1.pub.mailpod7-cph3.one.com. IN A 185.164.14.86 ; NoError AD=1
    _25._tcp.mx1.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx1.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1
    ;
    mx2.pub.mailpod7-cph3.one.com. IN A 185.164.14.87 ; NoError AD=1
    _25._tcp.mx2.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx2.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1
    ;
    mx3.pub.mailpod7-cph3.one.com. IN A 185.164.14.88 ; NoError AD=1
    _25._tcp.mx3.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx3.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1

-- 
    Viktor.