Re: [Uta] Expired/sold domains with a long max_age policy
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 16 August 2017 06:06 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F891252BA for <uta@ietfa.amsl.com>; Tue, 15 Aug 2017 23:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJX2jrA1rrxX for <uta@ietfa.amsl.com>; Tue, 15 Aug 2017 23:06:50 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61171241F5 for <uta@ietf.org>; Tue, 15 Aug 2017 23:06:49 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 635CF7A330A; Wed, 16 Aug 2017 06:06:48 +0000 (UTC)
Date: Wed, 16 Aug 2017 06:06:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20170816060648.GA8146@mournblade.imrryr.org>
Reply-To: uta@ietf.org
References: <CAHZoaj5oZgi3x5_duzW=jzYD_iio8u-r4-pQr2nYJeHTfUOs8Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHZoaj5oZgi3x5_duzW=jzYD_iio8u-r4-pQr2nYJeHTfUOs8Q@mail.gmail.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/BEiJ5qRAcccqyGj4iwAua0TEVuw>
Subject: Re: [Uta] Expired/sold domains with a long max_age policy
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 06:06:52 -0000
On Wed, Aug 16, 2017 at 02:39:43AM +0200, Ayke van Laethem wrote: > I see a potential issue with very long max_age rules. Consider that > the domain name example.org is sold to someone else, but the previous > max_age in the policy was set at 10 years and various hosts (e.g. > gmail.com) have sent email to example.org and thus have a cached > policy. > > So if the new owner of example.org decides to add email, they *have > to* also implement STARTTLS with the given MX hosts in the previous > policy (which will often be impossible due to moving to a different > email provider), or publish a new MTA-STS policy. If they take over the domain, they presumably also take over DNS. If they don't intent to implement STS, they will not publish the TXT record, which is a change in the TXT record, and thus any cached policy should trigger a refresh attempt. For that refresh attempt to cause the policy to be flushed there would actually need to be an HTTPS server serving a "none" policy. > If they don't know > MTA-STS was used before, sending email will not work from some > domains, without a clear signal as to why this is the case. Yes, the new domain owner would have to know that the domain had STS< or just publish a "none" policy in case there was a previous policy in place. The difficulty is of course how long such a "none" policy should be in place. For this to be a manageable duration, there should be a maximum "max_age" that sending systems accept, with any higher values truncated to that maximum. > Another option is to limit max_age to one year, similar to how HTTP > used to limit caching to one year [1][2]. Also see [3]. This is not a > perfect solution, but it will reduce the size of the problem. Yes, with the limit imposed by each sender and a "SHOULD NOT" on publishing max_age beyond that limit for receiving domains. -- Viktor.
- [Uta] Expired/sold domains with a long max_age po… Ayke van Laethem
- Re: [Uta] Expired/sold domains with a long max_ag… Viktor Dukhovni
- Re: [Uta] Expired/sold domains with a long max_ag… Daniel Margolis