In message <[email protected]>, Paul Wouters w rites: > On Tue, 17 Feb 2015, Viktor Dukhovni wrote: > > > This creates an interesting edge-case for testing whether individual > > MX hosts (or SRV target hosts) live in a signed zone (that's the > > purpose of the A/AAAA queries in the SRV and SMTP drafts that > > gate the applicability of TLSA lookups): > > > > ; example.com is a signed zone > > ; > > example.com. IN MX 0 mail.example.com. > > mail.example.com. IN CNAME mail.example.net. > > _25._tcp.mail.example.com. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb9 > 2427ae41e4649b934ca495991b7852b855 > > > > > > ; example.net is an "insecure" zone: > > ; > > mail.example.net. IN A 192.0.2.1 > > > > When a query for the "A" records of "mail.example.com." is > > sent to a validating iterative resolver, the response has > > a CNAME RR, an "A" RR and AD=0. However the query domain > > is actually "secure", the reason for "AD=0" is that the CNAME > > points into an "insecure" zone. > > > > To accomodate this edge-case, when the A/AAAA record returns > > an insecure CNAME, Postfix sends a second query: > > > > mail.example.com. IN CNAME ? > > > > and if that yields "AD=1", TLSA records are still requested: > > > > _25._tcp.mail.example.com. IN TLSA ? > > > > and used if returned (with AD=1). > > Why does postfix care about the security of the A/CNAME results before > asking for TLSA records? > > Why isn't it asking for TLSA records, and if those are secure, don't > care about the AD bit for the A/AAAA/CNAME.
Because there are idiots that design nameservers, firewalls and scrubbing services that think asking for TLSA records is a good reason to drop the query. Looking at the result of the MX/A/AAAA query and using that to determine if the TLSA query should be performed reduces the number of queries that encounter such idiocy. MX/A/AAAA are rarely dropped. > As long as whatever insecure A/CNAME/AAAA address has the right > certificate you were looking for. > > Paul > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
