Re: [Uta] Updated drafts for MTA-STS & TLSRPT
Daniel Margolis <dmargolis@google.com> Thu, 23 February 2017 20:35 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 711B3129A67 for <uta@ietfa.amsl.com>; Thu, 23 Feb 2017 12:35:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWi74VfSZlNa for <uta@ietfa.amsl.com>; Thu, 23 Feb 2017 12:35:42 -0800 (PST)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 954971294DF for <uta@ietf.org>; Thu, 23 Feb 2017 12:35:42 -0800 (PST)
Received: by mail-yb0-x22a.google.com with SMTP id i66so693033yba.1 for <uta@ietf.org>; Thu, 23 Feb 2017 12:35:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LOOMQ4bx2IdhdbG0Bool1WA6832zKQkrm2wID1Otr+I=; b=bmQUYiPCM8BiImup8up5+iGUWZ936Z0A2w3lU+AFww39wF82qd60bV+cvJi23ooBqD GA5YwSfLhUqYUODJFaExv8WfMloEHjQ3FqgFwfk3lcCYCQ8xs09WAeVGZ+/khc3gXeX8 D7DZY+B7bRJHuGQC+52KSfGFh7J1PR1pr9Kqdg6lGMP9RTamJzlyO4wh7jTsk/wPUkix wqevmO3UjmCTkG9QuKsFIFuoRBHpxSwETe9neBsngp5Fe8GtzFZdVsmIK4SxLCG2GeUu gvzeacccxxpLFC07taw8DKntH1vGkW7C7g4iB/gOHdAg9NbtEIOoy8gSaX8odZ+6n74h xJzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LOOMQ4bx2IdhdbG0Bool1WA6832zKQkrm2wID1Otr+I=; b=TUeN07NUXj0w66m1WpOsCoWjHR4v2NEe3AkO+/fFUrZyz6Ss46bzd/fUCXbpcANm0b a7Vk5SV7je/F6CGTCZ1QKQCO4MSvZBh5THt4EGumweGqnl/N9oQeCmXRREkh207lgr9f Ly+WuxCwA6EilEWpQCnybUBwbKdLsA3lAUaTxUsv0dv3XJUpN24mehwKBn5PYk6nGXe9 rS+LwHkuSB8qiLJjHUMebawv//YPkcU4hsswGqFzRRUeC2thpfKZO8dwHJw6rfRfX25w pEXF4K0cLtS5xTMFVlHKXUj/t3zr/DgCdTI68RViumEO7RDpMqwXT9JqTzwSpOtm7JPz xPIQ==
X-Gm-Message-State: AMke39kpcsaL3UgmSxvJ42PYGsL++PBkrypEcnce0fH8nQjHWBl8lHmGeonl+XE+t2CXN1PdyP551v7GNG80tjfe
X-Received: by 10.37.119.5 with SMTP id s5mr24152347ybc.124.1487882141034; Thu, 23 Feb 2017 12:35:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.24.6 with HTTP; Thu, 23 Feb 2017 12:35:40 -0800 (PST)
In-Reply-To: <CA+E3Fw2=3QCeeB2hOjzKERwRaF6p_G9z6Gm9GA4Yz2qE0KBhRA@mail.gmail.com>
References: <a0701ba14a704ac08f2b099a0576e22e@COPDCEX19.cable.comcast.com> <CA+E3Fw2=3QCeeB2hOjzKERwRaF6p_G9z6Gm9GA4Yz2qE0KBhRA@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Thu, 23 Feb 2017 22:35:40 +0200
Message-ID: <CANtKdUfO5Onw=_c0kPfAB7HDuh+R4Q-svCQgjdS6MZbSh+ksAg@mail.gmail.com>
To: David Illsley <davidillsley@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114be7e28989df0549388e1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sqZ6UNUQdytL6io7QJ0t9LHlzqc>
Cc: "uta@ietf.org" <uta@ietf.org>, "Brotman, Alexander" <Alexander_Brotman@comcast.com>
Subject: Re: [Uta] Updated drafts for MTA-STS & TLSRPT
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 20:35:44 -0000
Thanks for the comments! Comments inline. On Mon, Feb 20, 2017 at 9:16 PM, David Illsley <davidillsley@gmail.com> wrote: > In general, the fact the a complete failure causes a policy update makes > this simple and safe. There are a couple of reasons why I think it's not > quite that easy: > 1. It's not desirable for a 'report' configuration to be used beyond the > point that a domain has switched to 'enforce', and a long-cached 'report' > policy could do this. > 2. It prevents new MX records (eg new servers for increased capacity or > backups) not covered by the cached policy from being used until the > max_age, or until a failure to send with all the covered servers. > Right. And in fact, per section 5.2, if a policy covers only some of the current MX records, a sender with that policy may continue to use that policy unless/until none of the allowed MX records are reachable or unless/until none of the MX records are valid under the policy. There is no *requirement* that a sender refresh the cached policy as long as it continues to work. So you've pointed out a somewhat subtle pitfall. If I deploy a policy with "mx: ['*.google.com']" and I later deploy additional MXs with higher priority on mail.google.*net *(and, because I'm smart, I remember to update my deployed policy), senders may nonetheless only send mail to the old *.com* MXs, resulting in an unexpected traffic imbalance. A few observations about this case: 1. I don't know that this is a serious issue; it depends heavily on how specific the "mx" pattern is versus turnover in MX hosts. As far as I recall we haven't changed our MX hosts as long as I've worked here... 2. This could be fixed if we said that senders MUST seek a new policy whenever some MXs are filtered out by policy application (5.2 step 2). 3. This is optionally fixed by senders refreshing cached policies at an arbitrary time, which they may (but need not) do. Since they can cheaply discover the presence of new policies (and may in fact lookup the magical TXT record prior to doing a cache-policy-check anyway, depending on implementation), this isn't really far-fetched--but we don't require them to do so. There is also a downside that if policies are cached for a long time, > misconfiguration of the policy server is less likely to be noticed quickly > as fewer domains will be sending reports indicating a failure. > That's also a good point, and it is unaddressed by my hypothetical MUST above (#2). > > Having pondered it a bit, my suggestion is: > 1. A SHOULD that max_age is set to at least 6 months, other than during > roll-out > 2. A SHOULD that well-behaved clients with a cached policy should re-check > DNS TXT policy weekly, and retrieve via HTTPS if the policy id has changed. > I think the phrasing you give here suggests that if I send mail to your domain less than once a week, I should run a cron job to refresh the cache--and I hate cron jobs. So to be slightly pedantic, would it work just as well to say senders SHOULD check for an updated policy *if* *using* a policy which is older than one week? (My phrasing may be unclear, but I mean, of course, that they need only check for an updated policy if they are otherwise sending mail to that domain anyway.) Of course, we could still simply suggest/require senders *always* check for a new policy--it's one more DNS lookup to the recursive resolver per-send--but I bet in some implementations there are good reasons not to do this. > An alternative to (2) would be to add an optional refresh_after field with > similar semantics which would have a default value of 7 days which could be > overridden if, for some reason there are concerns that weekly is too often > (but I'm generally of the opinion that fewer options are better). > Agreed, I think extra options here are just extra complexity. > > I hope that makes sense, and do let me know if I've missed something. > Cheers, > David > > > > On Wed, Feb 15, 2017 at 7:57 PM, Brotman, Alexander < > Alexander_Brotman@comcast.com> wrote: > >> Folks, >> >> We uploaded new revisions for MTA-STS and TLSRPT. There are minor >> changes to each: >> >> 1) Remove the "_" from DNS records to be consistent with A/AAAA records >> used with the HTTPS retrieval, and make this a bit less confusing for >> deployments. We did this for both MTA-STS and TLSRPT. >> 2) Clarify language around punycode >> >> Please give these a review and get back to us with any comments. Thank >> you. >> >> -- >> Alex Brotman >> Sr. Engineer, Anti-Abuse >> Comcast >> x5364 >> >> >> _______________________________________________ >> Uta mailing list >> Uta@ietf.org >> https://www.ietf.org/mailman/listinfo/uta >> > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > >
- [Uta] Updated drafts for MTA-STS & TLSRPT Brotman, Alexander
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Alberto Bertogli
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis