IETF Logo Mail Archive

Re: [Uta] Updated drafts for MTA-STS & TLSRPT

Daniel Margolis <dmargolis@google.com> Thu, 23 February 2017 21:04 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A333F129B01 for <uta@ietfa.amsl.com>; Thu, 23 Feb 2017 13:04:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmsaU371nODq for <uta@ietfa.amsl.com>; Thu, 23 Feb 2017 13:04:57 -0800 (PST)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101BE12999C for <uta@ietf.org>; Thu, 23 Feb 2017 13:04:57 -0800 (PST)
Received: by mail-wr0-x231.google.com with SMTP id z61so1780710wrc.1 for <uta@ietf.org>; Thu, 23 Feb 2017 13:04:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=0YptmcMv1b4kZzbV98VCR0qkIZlXLXeI4K0I4UUUpZU=; b=dEImRbXIOwTF4j3qBbkE/up+QH5VpAez++J+menKUGJLD6rYL7DS5Gr6ZQM5YNUW0j QeJDJWz2yoQn3t8Ydi6xjunsje8aR4sk4O3RYz8+lhFhVCxIfzscpHd9SCYKZtByNLZp ChIbUpR9dkdJ/s5WwItmg4GjwDhy0KUtqz5unpw6E4iCEUTjWs+B3TIY6EQ3ZjieG+4A CrjJiRNHy8fsHxdXlK9nSF98rKviknCZ0gMQElJ9bQgJI9FCciTb8pL0nYQc5V1q3m3I C0LgVHKNbxENhHWRj0zKhE8W7NlI0aZOW7brCtP6q8EGics5Del6ZH3XW38YfFg/3YzU oshg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=0YptmcMv1b4kZzbV98VCR0qkIZlXLXeI4K0I4UUUpZU=; b=rPdQq3/XriP+0ENLkx5FxDnXOxC/s/no08kmZIU3OUsCeNvL0AnHjZ4pgiPqaRLwvH v9X7XD39YS417iXQZ0fUTBDPtDP7wMdI8h7EhSHwatEQjV/B5L090Cj6wRZ7ojNB0k3a IBGkQZFlvITPotfIrZWZDLOlY07PiaG3o1gLIz/J6NIjtCJfwdwliUd+F/prwdI0OchA wQWW6jbI6i3AM/oHZ0VGg8l3GconRFaCOQ6VGWR9pAoZKSvjEH1BZDVEfvVzY9qikP3e chhHPJBqcCfWv4S4tWcsdHMkgfJJriuohwHDuzS8gpTJb2lD2x1HbyBJ1Nq5Nqf8kBff cBmQ==
X-Gm-Message-State: AMke39lil+4NvIcx2Sq7W46VWoV0+Mhg/ZdH9AMXCg1CoRMyhbPkxKmfPQ9bTEW+5J29BvI3XvqF5GRZrZEkHTum
X-Received: by 10.223.134.52 with SMTP id 49mr5390984wrv.50.1487883894796; Thu, 23 Feb 2017 13:04:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.55.132 with HTTP; Thu, 23 Feb 2017 13:04:53 -0800 (PST)
In-Reply-To: <905199AC-51EE-42E9-AB54-68C99578A03E@dukhovni.org>
References: <a0701ba14a704ac08f2b099a0576e22e@COPDCEX19.cable.comcast.com> <CA+E3Fw2=3QCeeB2hOjzKERwRaF6p_G9z6Gm9GA4Yz2qE0KBhRA@mail.gmail.com> <CANtKdUfO5Onw=_c0kPfAB7HDuh+R4Q-svCQgjdS6MZbSh+ksAg@mail.gmail.com> <905199AC-51EE-42E9-AB54-68C99578A03E@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Thu, 23 Feb 2017 23:04:53 +0200
Message-ID: <CANtKdUeiUrvzYmVW3_pEojtOzwG8nMdx8H8OwGK=JA0GaefaNQ@mail.gmail.com>
To: "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1146c03c0e7621054938f7b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Aj2HXmoySSfInMMc7LlQ3faglis>
Subject: Re: [Uta] Updated drafts for MTA-STS & TLSRPT
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 21:04:59 -0000

On Thu, Feb 23, 2017 at 11:00 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Feb 23, 2017, at 3:35 PM, Daniel Margolis <dmargolis@google.com>
> wrote:
> >
> >> 2. It prevents new MX records (eg new servers for increased capacity or
> backups) not covered by the cached policy from being used until the
> max_age, or until a failure to send with all the covered servers.
>
> This should be a non-problem.  The DNS record exists precisely to signal
> a requirement for "early" policy refresh.  So when the domain's policy
> changes, the DNS record policy "id" SHOULD change to alert remote caches
> that the cached data is likely stale.
>
> This applies whether or not the change is to the list of acceptable "mx"
> hosts, or to some other property.
>

Yes, but my point was that we don't (to my recollection) actually require
senders to check for new policies on every mail send--they can legitimately
keep using an old, cached policy as long as it works.

As you say below, there are many optional strategies for senders to refresh
policies in a reasonable way, so I am not of the opinion this is a fatal
flaw. On whether it would be better to say senders SHOULD take one of these
policies, though, I am open to feedback.


>
> > So you've pointed out a somewhat subtle pitfall. If I deploy a policy
> > with "mx: ['*.google.com']" and I later deploy additional MXs with
> > higher priority on mail.google.net (and, because I'm smart, I
> > remember to update my deployed policy), senders may nonetheless
> > only send mail to the old .com MXs, resulting in an unexpected
> > traffic imbalance.
>
> Only if you're negligent, and fail to modify the DNS record.
> Negligence can cause many other operational issues, there are
> no designs immune to operator negligence.
>
> > 2. This could be fixed if we said that senders MUST seek a
> > new policy whenever some MXs are filtered out by policy
> > application (5.2 step 2).
>
> That's both unnecessary, and problematic.  The issue is that
> this condition is "sticky", until the policy matches the MX
> RRset, the sender is in a constant "refetch" condition.  It
> is best to avoid this trigger.  The DNS record triggers a
> single update, and then its "id" is cached with the same
> or any new policy.
>
> > 3. This is optionally fixed by senders refreshing cached
> > policies at an arbitrary time, which they may (but need not)
> > do.
>
> In addition to the text record trigger, senders should
> attempt to opportunistically (not triggered by DNS
> changes) refresh the policy at or after the midpoint
> between the last retry attempt and the expiration (but
> at least an ~1 hour after that attempt).
>
> Thus when a policy is published for 90 days, and then the
> policy server goes off-line, the retries would be (approx):
>
>         <= 45 days left
>         <= 22 days
>         <= 11 days
>         <= 6 days
>         <= 3 days
>         <= 36 hours
>         <= 18 hours
>         <= 9 hours
>         <= 4 hours
>         <= 2 hours
>         <= 1 hour
>
> More retry attempts just short of expiration are likely pointless.
>
> --
>         Viktor.
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email