[dns-operations] TLSA records on MX

Zuleger, Holger, Vodafone DE holger.zuleger at vodafone.com
Mon Jun 10 14:56:40 UTC 2013


Hi,
 
> | My domain with such records is "spodhuis.org", and I'm happy for its
> | mail-server to be similarly probed for interop purposes.
> 
> I added the _25._tcp TLSA record, feel free to use my domain
> (dougbarton.us) for such testing. My MX server is postfix 2.10.

as far as I understand draft-ietf-dane-srv (see Chapter 6), the TLS certificate 
of the server authenticates the SRV query domain (which is dougbarton.us)
and the server SHOULD also have a certificate that authenticates the target
domain (which is in your case dougbarton.us as well), but the certificate
you are providing authenticates the domain www.dougbarton.us, right?

The Certificate provided by spodhuis.org authenticates the target mx.spodhuis.org,
but not the query domain (which is spodhuis.org).

Do I maybe missinterpret the draft?

Here is the relevant text:

<cite draft-ietf-dane-srv-02>
6.  Guidance for server operators

   In order to support this specification, server software MUST
   implement the TLS Server Name Indication extension (TLS SNI)
   [RFC6066] for selecting the appropriate certificate.

   A server that supports TLS and is the target of a SRV record MUST
   have a TLS certificate that authenticates the SRV query domain (i.e.
   the service domain, or "source domain" in [RFC6125] terms).  This is
   necessary for clients that cannot perform DNSSEC validation.  This
   certificate MUST be the default that is presented if the client does
   not use TLS SNI.

   In order to support this specification, the server SHOULD also have a
   certificate that authenticates the SRV target domain (the mail server
   hostname).  This can be done using a multi-name certificate or by
   using the client's TLS SNI to select the appropriate certificate.
   The server's TLSA record SHOULD correspond to this certificate.
</cite>

Regards
 Holger
 



More information about the dns-operations mailing list