[dns-operations] TLSA records on MX

Doug Barton dougb at dougbarton.us
Tue Jun 11 04:45:59 UTC 2013 

On 06/10/2013 03:40 PM, Phil Pennock wrote:
> On 2013-06-10 at 14:56 +0000, Zuleger, Holger, Vodafone DE wrote:
>> The Certificate provided by spodhuis.org authenticates the target mx.spodhuis.org,
>> but not the query domain (which is spodhuis.org).
>
> To be clear: for mail delivery, you want:
>    http://tools.ietf.org/html/draft-ietf-dane-smtp-01
>
> The SMTP case is not quite the same as the SRV case, thus there being a
> distinct draft to cover it.

With respect to Tony (and others who contributed) it took me a 
non-trivial amount of time to sort through the 2 drafts in order to 
figure out what I needed to do.

IMO the "main" draft could use a little more clarity, including some 
more examples, and personally I would incorporate the MX text in the 
same draft. It's true that the MX and SRV cases are distinct, but 
they're not _that_ different.

> The SRV text doesn't quite match MX practice; historically, there's been
> *no* default verification of certificate hostname for MX delivery,
> because nobody could agree even on what should be, or could safely be,
> validated.

I'm pretty sure that doesn't match my experience, but given that a 
standard is being worked on, hopefully it won't be an issue for much 
longer. :)

> The server for spodhuis.org also handles a number of other domains and
> it would be inappropriate to pick one, or to reissue the cert as domains
> come and go.  This is the fundamental issue which led to solution of
> validating the _target_ domain.

IMO that makes a lot of sense. DNSSEC should "certify" the records for 
the domain itself, but the remote SMTP host is going to be connecting to 
the target of the MX record, similar to the way that a web client 
connects to the server which is certified by the SSL...errr...TLS 
certificate for that server.

> In the text you cite, the "MUST" is for clients that cannot perform
> DNSSEC validation, to attempt to preserve backwards compatibility for
> some fairly common cases where there's a 1:1 mapping between domain at
> hostname (target domain) servicing the domain.

Yeah, that bit didn't make any sense to me. I'm having trouble 
understanding what the utility of TLSA records would be in the absence 
of DNSSEC. I suppose that it would have _some_ utility, but it's hard to 
see why it would be enough to justify the effort.

Doug

More information about the dns-operations mailing list