[dns-operations] Quad9 DNSSEC Validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 17:25:41 UTC 2021


On Mon, Mar 01, 2021 at 08:52:56AM -0600, Scott Morizot wrote:

> On Mon, Mar 1, 2021 at 7:26 AM Jim Popovitch wrote:
> 
> > Over on the email side, I know of several instances in the past 5+ years
> > where email providers have had to disable TLS and/or DANE/DNSSEC checks
> > (i.e. postfix's smtp_tls_policy_maps) for .mil and .gov domains due
> > mostly in part for poor key rollover management practives/monitoring.
> 
> Disabling SMTP opportunistic TLS is a bit different since the standard
> fallback should be plain text SMTP anyway.

Jim is not referring to disabling opportunistic STARTTLS, rather MTAs
that implement RFC7672 opportunistic DANE TLS will defer email to
destinations with broken TLSA record denial of existence.

This avoids downgrade attacks via TLSA record stripping, but if a domain
has persistent self-inflicted breakage of authenticated denial of
existence (no response at all to TLSA queries, or a bogus one), then
senders may end up implementing work-arounds.

Long years ago (2014/2015), I reported issues with e.g. fbi.gov and
loc.gov which were fairly promptly fixed.  Other domains took longer,
and TLSA denial of existence was for some time a recurring problem with
e.g. darpa.mil.  Lately, things are much better, and indeed recently
mail.mil published DANE TLSA records:

    https://twitter.com/VDukhovni/status/1362938179758788609

Today, I'm tracking only two .gov sites and no .mil sites with denial
of existence issues:

    tolc-nsn.gov. IN MX ? ; NODATA AD=1
    tolc-nsn.gov. IN A 162.144.45.112
    _25._tcp.tolc-nsn.gov. IN TLSA ? ; ServFail

    https://dnsviz.net/d/_25._tcp.tolc-nsn.gov/YD0hNg/dnssec/

    ofda.gov. IN MX 10 dc4vasmtp01.ofda.gov.
    ofda.gov. IN MX 10 dc4vasmtp02.ofda.gov.
    ofda.gov. IN MX 10 dc4vasmtp03.ofda.gov.
    ofda.gov. IN MX 50 dc6vasmtp01.ofda.gov.
    ofda.gov. IN MX 50 dc6vasmtp02.ofda.gov.
    _25._tcp.dc4vasmtp01.ofda.gov. IN TLSA ? ; RetryLimitExceeded
    _25._tcp.dc4vasmtp02.ofda.gov. IN TLSA ? ; RetryLimitExceeded
    _25._tcp.dc4vasmtp03.ofda.gov. IN TLSA ? ; RetryLimitExceeded
    _25._tcp.dc6vasmtp01.ofda.gov. IN TLSA ? ; RetryLimitExceeded
    _25._tcp.dc6vasmtp02.ofda.gov. IN TLSA ? ; RetryLimitExceeded

The ofda.gov situation appears to be related to UDP fragmentation, the
negative responses are 1563 bytes, and the server does not return TC=1
even when the requested EDNS buffer size is well below 1500, instead
the queries time out.  Only clients that set a buffer size of 1563
and up get an answer:

    $ dig -4 +norecur +dnssec +bufsize=1562 @ns03.ofda.gov -t tlsa _25._tcp.dc4vasmtp01.ofda.gov
    ...

> It's unclear from your phrasing, though, if they disabled SMTP TLS for
> specific domains under .gov or .mil or for both entire gTLDs. The latter
> would seem like an overreaction and downgrading security where there was no
> identified operational need.

Typically neither, rather a DNSSEC NTA was sufficient to disable DANE
for the domain.

-- 
    Viktor.


More information about the dns-operations mailing list