IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 June 2022 20:47 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C64C15A734 for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 13:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATnWwVKVV5ZG for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 13:47:43 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE18C15A730 for <uta@ietf.org>; Thu, 23 Jun 2022 13:47:42 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 1B850FE418; Thu, 23 Jun 2022 16:47:40 -0400 (EDT)
Date: Thu, 23 Jun 2022 16:47:40 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <YrTRbIMW2OatWZYO@straasha.imrryr.org>
Reply-To: uta@ietf.org
References: <20220623164409.E3244442721A@ary.qy> <0d44d21b-671d-d916-e0ac-29013fbd3f65@stpeter.im> <93ea21b8-f62c-1196-1587-7a5a97a81da2@taugh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <93ea21b8-f62c-1196-1587-7a5a97a81da2@taugh.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/x5DLyxUk2_-rwlnzWqMKXv99BHs>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 20:47:48 -0000

On Thu, Jun 23, 2022 at 01:42:46PM -0400, John R Levine wrote:

> Among the reasons that DANE in e-mail is less common is that it is tricky. 

DANE is only "tricky" when you're trying to integrate TLSA record
updates with ACME cert rollovers and don't configure key reuse.

Otherwise the same "3 1 1" record continues to work across cert
rollovers for multiple domains, regardless of the MX hostname used.
For example:

    digitalehuisbaas.be. IN MX 10 mail.digitalehuisbaas.be.
    mail.digitalehuisbaas.be. IN A 141.138.169.203
    mail.digitalehuisbaas.be. IN AAAA 2a03:3c00:a002:203::1001
    _25._tcp.mail.digitalehuisbaas.be. IN TLSA 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.digitalehuisbaas.be[141.138.169.203]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.digitalehuisbaas.be[2a03:3c00:a002:203::1001]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    headshot.amsterdam. IN MX 10 mail.headshot.amsterdam.
    mail.headshot.amsterdam. IN A 141.138.169.226
    mail.headshot.amsterdam. IN AAAA 2a03:3c00:a002:226::1000
    _25._tcp.mail.headshot.amsterdam. IN TLSA 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.headshot.amsterdam[141.138.169.226]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.headshot.amsterdam[2a03:3c00:a002:226::1000]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    creatievestudio.be. IN MX 10 mail.creatievestudio.be.
    mail.creatievestudio.be. IN A 141.138.169.210
    mail.creatievestudio.be. IN AAAA 2a03:3c00:a002:210::100d
    _25._tcp.mail.creatievestudio.be. IN TLSA 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.creatievestudio.be[141.138.169.210]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.creatievestudio.be[2a03:3c00:a002:210::100d]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    ... ~95 thousand more ...

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email