On Tue, Feb 17, 2015 at 06:46:13PM -0500, Paul Wouters wrote:
> Why does postfix care about the security of the A/CNAME results before
> asking for TLSA records?
Because "nist.gov" would otherwise receive no email:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18665
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;nist.gov. IN MX
nist.gov. MX 0 nist-gov.mail.protection.outlook.com.
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53098
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA
The nameservers for the unsigned zone of nist.gov's MX hosts are
allergic to TLSA queries. They return "NOTIMPL" instead of:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.nist-gov.mail.protection.outlook.com. IN A
You can try it for yourself
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37877
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;mail.protection.outlook.com. IN NS
mail.protection.outlook.com. NS ns1-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. NS ns2-proddns.glbdns.o365filtering.com.
$ dig +norecur +dnssec +noall +comment +qu -t tlsa
_25._tcp.nist-gov.mail.protection.outlook.com.
@ns1-proddns.glbdns.o365filtering.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 19776
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec
+noedns'
$ dig +norecur +nodnssec +noedns +noall +comment -t tlsa
_25._tcp.nist-gov.mail.protection.outlook.com.
@ns1-proddns.glbdns.o365filtering.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 56709
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
This was discussed quite some time ago, and has been in the SMTP
draft since. The domain "nist.gov" is not a comprehensive list of
problem domains. The SMTP draft avoids sending queries for "exotic"
RR-types to "minimal" nameservers that don't support DNSSEC.
> Why isn't it asking for TLSA records, and if those are secure, don't
> care about the AD bit for the A/AAAA/CNAME.
Because those queries would all too often spuriously fail, and with
"discovery" of TLS support (opportunistic DANE TLS), would lead to
loss of connectivity, since the failures are indistinguishable from
downgrade attacks.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
