Anyone have appropriate contacts at icann.org to encourage them
to dogfood DANE TLSA RRs for their SMTP servers?
A quick scan of the DNS and MX hosts shows that icann.org and all
its MX hosts (A/AAAA records) are DNSSEC validated, but none of
the MX hosts offer STARTTLS:
icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1
pechora1.icann.org. IN A 192.0.33.71 ; smtperr: STARTTLS not offered
pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr: STARTTLS not
offered
icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1
pechora3.icann.org. IN A 192.0.33.73 ; smtperr: STARTTLS not offered
pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr: STARTTLS not
offered
icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1
pechora4.icann.org. IN A 192.0.33.74 ; smtperr: STARTTLS not offered
pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr: STARTTLS not
offered
icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1
pechora5.icann.org. IN A 192.0.46.71 ; smtperr: STARTTLS not offered
pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr: STARTTLS
not offered
icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1
pechora7.icann.org. IN A 192.0.46.73 ; smtperr: STARTTLS not offered
pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr: STARTTLS
not offered
icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1
pechora8.icann.org. IN A 192.0.46.74 ; smtperr: STARTTLS not offered
pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr: STARTTLS
not offered
Sure looks like Sendmail with STARTTLS not enabled:
posttls-finger: Connected to pechora1.icann.org[192.0.33.71]:25
posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail 8.13.8/8.13.8;
Sat, 17 Jan 2015 05:48:31 GMT
posttls-finger: > EHLO amnesiac.local
posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local
[192.0.2.1], pleased to meet you
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE
posttls-finger: < 250-DSN
posttls-finger: < 250-ETRN
posttls-finger: < 250-DELIVERBY
posttls-finger: < 250 HELP
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection
all they have to do is enable STARTTLS and publish TLSA RRs. Either
some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's
TLSA RRset to a shared location where the trust-anchor
IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest>
TLSA RRset is defined, or a different self-signed certificate for
each MX host with per-host
IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest>
records. We got there for ietf.org, and I think icann.org should
set a similar example. People reasonably seem to expect them to,
based on frequent tests for icann.org at https://dane.sys4.de/
Do what you say and all that...
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
