Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 01 March 2015 20:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDB4F1A1B48 for <ietf@ietfa.amsl.com>; Sun, 1 Mar 2015 12:27:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gopus6FajRvu for <ietf@ietfa.amsl.com>; Sun, 1 Mar 2015 12:27:29 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25AC11A1AB2 for <ietf@ietf.org>; Sun, 1 Mar 2015 12:27:29 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C320F282FCE; Sun, 1 Mar 2015 20:27:27 +0000 (UTC)
Date: Sun, 1 Mar 2015 20:27:27 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <20150301202727.GD1260@mournblade.imrryr.org>
References: <A74A30F4D1214630918FD4CA@JcK-HP8200.jck.com> <20150223153757.GI1260@mournblade.imrryr.org> <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <20150224170209.GV1260@mournblade.imrryr.org> <54F03F38.9090601@cisco.com> <1ED9F633-40B1-4A90-85FE-14526C27A485@frobbit.se> <54F043F8.6090409@cisco.com> <20150228222733.51B432A92EE3@rock.dv.isc.org> <CAMm+Lwhn=D=nOG4Bt3xcgZWja4-L-RvzJ00CkhKNhs6GnsTXGw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMm+Lwhn=D=nOG4Bt3xcgZWja4-L-RvzJ00CkhKNhs6GnsTXGw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/VDq0wS2PgCE0iNJ6F9RR8ZpAmKY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 20:27:30 -0000

On Sun, Mar 01, 2015 at 10:21:33AM -0500, Phillip Hallam-Baker wrote:

> On Sat, Feb 28, 2015 at 5:27 PM, Mark Andrews <marka@isc.org> wrote:
> 
> >
> > And that is coming "_25._tlsa" and it uses DNSSEC to prevent the
> > downgrade.  

Typo fix: that "_25._tlsa" is of course "_25._tcp".

> > Whether your MTA uses STARTTLS or not is another matter
> > but we can prevent downgrade attacks from succeeding.

If the MTA implements opportunistic DANE TLS, and usable TLSA
records *are* published, then it MUST use STARTTLS and authenticate
the peer via said TLSA records.

    http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2

> In particular make it possible to explicitly specify criteria such as 'use
> TLS transport' or 'XYZ authentication is required'.

For both MX and SRV the DANE WG has settled on publication of TLSA
RRs to signal both "TLS is required" and "DANE authentication is
required".

-- 
	Viktor.