Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Mark Andrews <marka@isc.org> Sun, 01 March 2015 22:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3303D1A1BED for <ietf@ietfa.amsl.com>; Sun, 1 Mar 2015 14:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCYrYm1yGxax for <ietf@ietfa.amsl.com>; Sun, 1 Mar 2015 14:42:32 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A61F1A0015 for <ietf@ietf.org>; Sun, 1 Mar 2015 14:42:32 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 36C5D1FCB87 for <ietf@ietf.org>; Sun, 1 Mar 2015 22:42:29 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E1D78160068 for <ietf@ietf.org>; Sun, 1 Mar 2015 22:49:26 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-175-41.carlnfd1.nsw.optusnet.com.au [211.30.175.41]) by zmx1.isc.org (Postfix) with ESMTPSA id A9AA5160059 for <ietf@ietf.org>; Sun, 1 Mar 2015 22:49:26 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 7FD022A96A2B for <ietf@ietf.org>; Mon, 2 Mar 2015 09:42:24 +1100 (EST)
To: ietf@ietf.org
From: Mark Andrews <marka@isc.org>
References: <A74A30F4D1214630918FD4CA@JcK-HP8200.jck.com> <20150223153757.GI1260@mournblade.imrryr.org> <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <20150224170209.GV1260@mournblade.imrryr.org> <54F03F38.9090601@cisco.com> <1ED9F633-40B1-4A90-85FE-14526C27A485@frobbit.se> <54F043F8.6090409@cisco.com> <20150228222733.51B432A92EE3@rock.dv.isc.org> <CAMm+Lwhn=D=nOG4Bt3xcgZWja4-L-RvzJ00CkhKNhs6GnsTXGw@mail.gmail.com> <20150301202727.GD1260@mournblade.imrryr.org>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
In-reply-to: Your message of "Sun, 01 Mar 2015 20:27:27 -0000." <20150301202727.GD1260@mournblade.imrryr.org>
Date: Mon, 02 Mar 2015 09:42:23 +1100
Message-Id: <20150301224224.7FD022A96A2B@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/ExnobsH8DZnrGPaf_taHOjTzRLg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 22:42:34 -0000

In message <20150301202727.GD1260@mournblade.imrryr.org>rg>, Viktor Dukhovni write
s:
> On Sun, Mar 01, 2015 at 10:21:33AM -0500, Phillip Hallam-Baker wrote:
> 
> > On Sat, Feb 28, 2015 at 5:27 PM, Mark Andrews <marka@isc.org> wrote:
> > 
> > >
> > > And that is coming "_25._tlsa" and it uses DNSSEC to prevent the
> > > downgrade.  
> 
> Typo fix: that "_25._tlsa" is of course "_25._tcp".

Thanks
 
> > > Whether your MTA uses STARTTLS or not is another matter
> > > but we can prevent downgrade attacks from succeeding.
> 
> If the MTA implements opportunistic DANE TLS, and usable TLSA
> records *are* published, then it MUST use STARTTLS and authenticate
> the peer via said TLSA records.
> 
>     http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2

I was refering to the fact that publishing records doesn't force
the client to use TLS as we have a large legacy population.  New
client will do this if they are not broken.  That said, adding explict
compliance tests to the rfc may not be a bad idea but this thread is
not the place to discuss it.  I wish EDNS had explict compliance tests
listed so we would not be in the mess we are in today.  Again this thread
is not the place to discuss this.

> > In particular make it possible to explicitly specify criteria such as 'use
> > TLS transport' or 'XYZ authentication is required'.
> 
> For both MX and SRV the DANE WG has settled on publication of TLSA
> RRs to signal both "TLS is required" and "DANE authentication is
> required".

Yep
 
> -- 
> 	Viktor.
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org