[Uta] General question on draft-ietf-uta-mta-sts-03

<Gerard.DRAPER-GIL@ec.europa.eu> Thu, 30 March 2017 09:22 UTC

Return-Path: <Gerard.DRAPER-GIL@ec.europa.eu>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AEB7128B4E for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 02:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.998
X-Spam-Level:
X-Spam-Status: No, score=-6.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.796, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CitX9iba17cr for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 02:22:09 -0700 (PDT)
Received: from out.mail.ec.europa.eu (out.mail.ec.europa.eu [147.67.249.4]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61EC11293E9 for <Uta@ietf.org>; Thu, 30 Mar 2017 02:22:07 -0700 (PDT)
Received: from S-DC-EMP015-E.net1.cec.eu.int (158.167.3.16) by S-DC-EDG010-Q.rcnet.cec.eu.int (147.67.249.4) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 30 Mar 2017 11:21:58 +0200
Received: from S-DC-EMP013-B.net1.cec.eu.int (158.167.2.37) by S-DC-EMP015-E.net1.cec.eu.int (158.167.3.16) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 30 Mar 2017 11:22:04 +0200
Received: from S-DC-ESTE03-B.net1.cec.eu.int ([169.254.2.152]) by S-DC-EMP013-B.net1.cec.eu.int ([158.167.2.37]) with mapi id 14.03.0301.000; Thu, 30 Mar 2017 11:22:04 +0200
From: Gerard.DRAPER-GIL@ec.europa.eu
To: Uta@ietf.org
Thread-Topic: General question on draft-ietf-uta-mta-sts-03
Thread-Index: AQHSqTcY8jps5Nhu0EGU3v8+sjq0sA==
Date: Thu, 30 Mar 2017 09:22:04 +0000
Message-ID: <2DB01F3A9898AE41BB3266315D9FDA2704902822@S-DC-ESTE03-B.net1.cec.eu.int>
Accept-Language: en-GB, fr-LU, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [158.167.189.38]
Content-Type: multipart/alternative; boundary="_000_2DB01F3A9898AE41BB3266315D9FDA2704902822SDCESTE03Bnet1c_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/IM1XUgKlXKaVB00vChCC64QhrjA>
Subject: [Uta] General question on draft-ietf-uta-mta-sts-03
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 09:22:12 -0000

After reading the MTA-STS drafts, and following the discussions, there's still a question that I do not fully understand.

Why using DNS to "announce" the use of MTA-STS but rely on HTTPS for publishing the policy? So far, the policy is not that complex.
Wouldn't a DNS TXT record suffice in many cases?
I understand that in some cases the policy may be longer, depending on how many MX records a domain may have.
Fetching the policy from an HTTPS service could be an option for those who require longer policy descriptions.
Another option for longer policies could be to add an 'include' parameter, like in SPF, therefore avoiding the need of another service (HTTPS) to deliver the policy.

It may not simplify the work for the implementation of MTA-STS (fetching from HTTPS would still have to be implemented), but it would make it easier to deploy (I think).

As example, the TXT records could look like:

MTA-STS just DNS:
_mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; mode=enforce; mx=*.example.com; max_age=12345600"

MTA-STS with  DNS and HTTPS:
_mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; use=https"

MTA-STS with  DNS and 'include':
_mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; max_age=12345600 include=_mta-sts01,_mta-sts02;"
_mta-sts01.example.com IN TXT "mx=mx1.example.com,mx2.example.com;"
_mta-sts02.example.com IN TXT "mx=*.example1.com;"

Gerard Draper Gil