On Thu, Dec 19, 2013 at 08:07:10AM -0800, [email protected] wrote:
> Filename : draft-ietf-dane-srv-03.txt
Another point I should raise is the question of when to perform
TLSA lookups. In implementing DANE for Postfix, I found that it
is unwise to search for TLSA RRs for an MX host whose hostname ->
address mapping is insecure (that is when the MX RRset is in a
secure zone, but the MX host is not).
The example I posted to this group was nist.gov's MX RRset:
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
nist.gov. IN MX 0 nist-gov.mail.protection.outlook.com.
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
nist-gov.mail.protection.outlook.com. IN A 207.46.163.170
nist-gov.mail.protection.outlook.com. IN A 207.46.163.215
nist-gov.mail.protection.outlook.com. IN A 207.46.163.247
nist-gov.mail.protection.outlook.com. IN A 207.46.163.138
$ dig +dnssec +noall +comment +ans -t tlsa
nist-gov.mail.protection.outlook.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
Attempts to retrieve the TLSA RRset SRVFAIL. Postfix (as likely
should all other applications that want to find TLSA RRs) skips
the TLSA lookup when the MX (form of SRV) host's zone is not secure.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
