IETF Logo Mail Archive

[Uta] Expired/sold domains with a long max_age policy

Ayke van Laethem <aykevanlaethem@gmail.com> Wed, 16 August 2017 00:40 UTC

Return-Path: <aykevanlaethem@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3017E1323C1 for <uta@ietfa.amsl.com>; Tue, 15 Aug 2017 17:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18wj5v7mwOMX for <uta@ietfa.amsl.com>; Tue, 15 Aug 2017 17:40:05 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DFA21323AC for <uta@ietf.org>; Tue, 15 Aug 2017 17:40:05 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id x191so12702880qka.5 for <uta@ietf.org>; Tue, 15 Aug 2017 17:40:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=36sBQs50cbgPOwvcJU5GlHgd3v3gOXxRUPbR1By6F/8=; b=Ohh8sbSspXjW1HTYe6WayrVKs+trtf8DL9kYd6WaDm5VLktCDmbi4qdZBB9cN8/Czl 2pFZ2YOCTGLIwunaY78uZ+x8EjBox4Wo513AILKn11GsR+GW2+1N+qALMU9vVH0B2drI YLjNF0qS5VLaLQYVrNPdQ/+rxzwdu+HiAINejIyrlh4fBMF13oK7z9nwhebS0UN87a66 m0g9Da0KFNvTNqZ9KKsQ08Z7Soc9KMYEO9lp/ZwxbC2mg0+eYWaB8r0EWqCZWADAkGXW SwWxMQ1b/hdCzRw1Akf7hHRj4YC6/KkLHKq2AVTF8wJuVIfiyJ4aHgNTLVsdPYeBxA2J igng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=36sBQs50cbgPOwvcJU5GlHgd3v3gOXxRUPbR1By6F/8=; b=J9NYBeXitfcEEQXRO/5gEBJxLNfNWPZ9CqYzSIAo88L9iWx+EbE0emXIOI6FBffY1i R2yIZeBi0XpiWp9VJ3or2sKhhFHAENuCPM19pLpzjAGUJPtNSfKwoKPb2dK0Ei97chtJ T2KkuKXRWHRNlMNOarA3tjQ7Zia2aRR9CGt9HsCAGzANxUayIyT83QK8NKa+9y5olJWn NhUVnzhaCsacLjkYXfVUypDM9Epa14cLa7hBYaGelNr7DyA/joNw0iRUtpNv0vnPCGat 7ycasX/GdGnGO5/zABZBdFscAHcoRfcPjuPMnYCmMRaXJkkSNsP1Qs7k5xUfkj16ao32 tP4A==
X-Gm-Message-State: AHYfb5gRcK86GKVrfF+r6jiBGdLf6lZIs6dhs4knefcKPNx46sE7ODqP 5Gj0GqyKk0grXFPUBoLAXZKQb9Xa0bhZ
X-Received: by 10.55.91.135 with SMTP id p129mr5637qkb.32.1502844003861; Tue, 15 Aug 2017 17:40:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.23.84 with HTTP; Tue, 15 Aug 2017 17:39:43 -0700 (PDT)
From: Ayke van Laethem <aykevanlaethem@gmail.com>
Date: Wed, 16 Aug 2017 02:39:43 +0200
Message-ID: <CAHZoaj5oZgi3x5_duzW=jzYD_iio8u-r4-pQr2nYJeHTfUOs8Q@mail.gmail.com>
To: uta@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/pjcDzbll4NWcD48Z-nCktcpUu2E>
Subject: [Uta] Expired/sold domains with a long max_age policy
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 00:40:07 -0000

I see a potential issue with very long max_age rules. Consider that
the domain name example.org is sold to someone else, but the previous
max_age in the policy was set at 10 years and various hosts (e.g.
gmail.com) have sent email to example.org and thus have a cached
policy.
So if the new owner of example.org decides to add email, they *have
to* also implement STARTTLS with the given MX hosts in the previous
policy (which will often be impossible due to moving to a different
email provider), or publish a new MTA-STS policy. If they don't know
MTA-STS was used before, sending email will not work from some
domains, without a clear signal as to why this is the case.

Note that setting up MTA-STS requires some effort above simply setting
up email itself (setting up STARTTLS, setting up a new mta-sts domain,
obtaining a certificate, serving a new policy file). It is also not
like HSTS: with HSTS the only requirement is enabling HTTPS, but with
MTA-STS many more things need to be configured to override or adhere
to a cached policy.

My suggestion would be to add to the description of max_age that long
durations may not always be desirable.
Another option is to limit max_age to one year, similar to how HTTP
used to limit caching to one year [1][2]. Also see [3]. This is not a
perfect solution, but it will reduce the size of the problem.

[1]: https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.3
[2]: https://tools.ietf.org/html/rfc7234#section-5.3
[3]: https://github.com/mrisher/smtp-sts/blob/master/mta-sts.md#denial-of-service

v2.23.0 | Report a Bug | By Email