From ietf-dane at dukhovni.org Fri Apr 8 00:01:23 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 7 Apr 2016 22:01:23 +0000 Subject: DNS Hosting provider issues (mail.mil partly resolved, isphuset.no working on it) In-Reply-To: <20150818050222.GB24426@mournblade.imrryr.org> References: <20150119190115.GM29286@mournblade.imrryr.org> <20150120173922.GA8034@mournblade.imrryr.org> <20150126215312.GB8034@mournblade.imrryr.org> <20150129234235.GE8034@mournblade.imrryr.org> <20150202210107.GX8034@mournblade.imrryr.org> <20150204211203.GA8034@mournblade.imrryr.org> <20150204232324.GC8034@mournblade.imrryr.org> <20150318091546.GB3223@mournblade.imrryr.org> <20150806062001.GH24415@mournblade.imrryr.org> <20150818050222.GB24426@mournblade.imrryr.org> Message-ID: <20160407220123.GB15621@mournblade.imrryr.org> On Tue, Aug 18, 2015 at 05:02:22AM +0000, Viktor Dukhovni wrote: > Speaking of poor handling of denial of existence, is anyone on this > list a DNS hosting customer of "isphuset.no"? > > #WWP-ISPH-922-70734 While the isphuset.no issue is still open, I have some good news on that front: Though no firm date at this time, the issue has not been dropped, it seems that upgraded software is undergoing internal testing, and once some issues have been ironed out will eventually be rolled out. The "mail.mil" DNS server folks are working on their DNS issue, and today for the first time one the name servers for "mail.mil" and similar domains has started responding to TLSA queries. With a bit luck the rest will soon follow, but already DANE-enabled servers should be able to reach the domains below (perhaps after a couple of retries if DNS queries initially fail) without explicit work-arounds: fai.gov afnoc.af.mil afms.mil centcom.mil dau.mil dc3.mil dcaa.mil dcma.mil deca.mil defenselink.mil dfas.mil dimhrs.mil dla.mil dma.mil dmdc.mil doded.mil dodig.mil dsca.mil dss.mil dtra.mil forge.mil homes.mil jfcom.mil jsf.mil jten.mil mail.mil militaryonesource.mil navy.mil nga.mil osd.mil pacom.mil pentagon.mil pfpa.mil sapr.mil soc.mil stratcom.mil uscg.mil usmc.mil ustranscom.mil whs.mil -- Viktor. From patrickdk at patrickdk.com Fri Apr 8 03:55:50 2016 From: patrickdk at patrickdk.com (Patrick Domack) Date: Thu, 07 Apr 2016 21:55:50 -0400 Subject: DNS Hosting provider issues (mail.mil partly resolved, isphuset.no working on it) In-Reply-To: <20160407220123.GB15621@mournblade.imrryr.org> References: <20150119190115.GM29286@mournblade.imrryr.org> <20150120173922.GA8034@mournblade.imrryr.org> <20150126215312.GB8034@mournblade.imrryr.org> <20150129234235.GE8034@mournblade.imrryr.org> <20150202210107.GX8034@mournblade.imrryr.org> <20150204211203.GA8034@mournblade.imrryr.org> <20150204232324.GC8034@mournblade.imrryr.org> <20150318091546.GB3223@mournblade.imrryr.org> <20150806062001.GH24415@mournblade.imrryr.org> <20150818050222.GB24426@mournblade.imrryr.org> <20160407220123.GB15621@mournblade.imrryr.org> Message-ID: <20160407215550.Horde.MsNJbjGV3OGxCoPMF3KhHnS@mail.patrickdk.com> Really good news. Quoting Viktor Dukhovni : > On Tue, Aug 18, 2015 at 05:02:22AM +0000, Viktor Dukhovni wrote: > >> Speaking of poor handling of denial of existence, is anyone on this >> list a DNS hosting customer of "isphuset.no"? >> >> #WWP-ISPH-922-70734 > > While the isphuset.no issue is still open, I have some good news on > that front: > > Though no firm date at this time, the issue has not been dropped, > it seems that upgraded software is undergoing internal testing, > and once some issues have been ironed out will eventually be > rolled out. > > The "mail.mil" DNS server folks are working on their DNS issue, > and today for the first time one the name servers for "mail.mil" > and similar domains has started responding to TLSA queries. With > a bit luck the rest will soon follow, but already DANE-enabled > servers should be able to reach the domains below (perhaps after > a couple of retries if DNS queries initially fail) without explicit > work-arounds: > > fai.gov > afnoc.af.mil > afms.mil > centcom.mil > dau.mil > dc3.mil > dcaa.mil > dcma.mil > deca.mil > defenselink.mil > dfas.mil > dimhrs.mil > dla.mil > dma.mil > dmdc.mil > doded.mil > dodig.mil > dsca.mil > dss.mil > dtra.mil > forge.mil > homes.mil > jfcom.mil > jsf.mil > jten.mil > mail.mil > militaryonesource.mil > navy.mil > nga.mil > osd.mil > pacom.mil > pentagon.mil > pfpa.mil > sapr.mil > soc.mil > stratcom.mil > uscg.mil > usmc.mil > ustranscom.mil > whs.mil > > -- > Viktor. From ietf-dane at dukhovni.org Thu Apr 14 20:23:45 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 14 Apr 2016 18:23:45 +0000 Subject: NEWSFLASH: DANE TLSA records published for web.de! Message-ID: <20160414182345.GK26423@mournblade.imrryr.org> The web.de domain has just published DANE TLSA records for its MX hosts: web.de. IN MX 100 mx-ha02.web.de. ; AD=1 _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1 409c9e91a2a9f4d7881dbf0094b3839d4343a4a57d9bf559fdeb0c1f4c5b8b3e ; passed Subject = CN=mx-ha02.web.de,emailAddress=server-certs at 1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:21:46Z Expiration = 2017-07-27T23:59:59Z web.de. IN MX 100 mx-ha03.web.de. ; AD=1 _25._tcp.mx-ha03.web.de. IN TLSA 3 1 1 33fccf0e82584b6133cf18d24ae592cc6cbc9cfcab13291a5585a2b20a30eb19 ; passed Subject = CN=mx-ha03.web.de,emailAddress=server-certs at 1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:22:46Z Expiration = 2017-07-27T23:59:59Z This is a major milestone in DANE adoption. -- Viktor. From ietf-dane at dukhovni.org Thu Apr 14 20:42:16 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 14 Apr 2016 18:42:16 +0000 Subject: Best practice TLSA RRs for CA-issued certs Message-ID: <20160414184215.GM26423@mournblade.imrryr.org> [ This assumes you are willing to trust your issuer CA to not misissue certificates for your domain, and include the CA certificate in your server chain file. ] One approach to making sure that DANE TLSA records are less likely to fail that should work well for sites using CA-issued certificates is to publish both "3 1 1" and "2 1 1" TLSA records: mx.example. IN TLSA 3 1 1 mx.example. IN TLSA 2 1 1 * The "3 1 1" record protects against "expiration" accidents, and unexpected changes in the issuer's public key (if new certificate chain deployment is automated). * The "2 1 1" record protects against key rotation errors should a a new server private key be deployed without updating the TLSA RRs. Provided the new certificate is issued by the same CA is unexpired, ... the "2 1 1" record will match. With a bit of monitoring to ensure that both records match, simultaneous failure of both is much less likely. This even makes it possible to avoid pre-deployment DNS TLSA records updates when rotating certificates, provided at least one of the issuer public key or the server public key is unchanged in the new chain. In particular, this is the best practice with Let's Encrypt issued SMTP server certificates, as explained in: https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ -- Viktor. From lst_hoe02 at kwsoft.de Fri Apr 15 09:29:16 2016 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Fri, 15 Apr 2016 07:29:16 +0000 Subject: NEWSFLASH: DANE TLSA records published for web.de! In-Reply-To: <20160414182345.GK26423@mournblade.imrryr.org> Message-ID: <20160415072916.Horde._hbgHnUv5pN36Q2DA7h4___@webmail.kwsoft.de> Zitat von Viktor Dukhovni : > The web.de domain has just published DANE TLSA records for its MX > hosts: > > web.de. IN MX 100 mx-ha02.web.de. ; AD=1 > _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1 > 409c9e91a2a9f4d7881dbf0094b3839d4343a4a57d9bf559fdeb0c1f4c5b8b3e ; > passed > > Subject = > CN=mx-ha02.web.de,emailAddress=server-certs at 1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media > GmbH,C=DE > Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. > 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems > Trust Center,O=T-Systems International GmbH,C=DE > Inception = 2014-07-22T11:21:46Z > Expiration = 2017-07-27T23:59:59Z > > web.de. IN MX 100 mx-ha03.web.de. ; AD=1 > _25._tcp.mx-ha03.web.de. IN TLSA 3 1 1 > 33fccf0e82584b6133cf18d24ae592cc6cbc9cfcab13291a5585a2b20a30eb19 ; > passed > > Subject = > CN=mx-ha03.web.de,emailAddress=server-certs at 1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media > GmbH,C=DE > Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. > 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems > Trust Center,O=T-Systems International GmbH,C=DE > Inception = 2014-07-22T11:22:46Z > Expiration = 2017-07-27T23:59:59Z > > This is a major milestone in DANE adoption. I wonder if the rest of the "United Internet" brands will follow soon. With gmx.de and web.de this company is responsible for around 50% of the non-commercial german e-mail traffic. It looks like they also switched their US based brand mail.com to use DANE (https://dane.sys4.de/smtp/mail.com). Regards Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5840 bytes Desc: S/MIME Cryptographic Signature URL: From p at sys4.de Fri Apr 15 09:38:08 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Fri, 15 Apr 2016 09:38:08 +0200 Subject: NEWSFLASH: DANE TLSA records published for web.de! In-Reply-To: <20160415072916.Horde._hbgHnUv5pN36Q2DA7h4___@webmail.kwsoft.de> References: <20160414182345.GK26423@mournblade.imrryr.org> <20160415072916.Horde._hbgHnUv5pN36Q2DA7h4___@webmail.kwsoft.de> Message-ID: <20160415073808.GA1205@sys4.de> * lst_hoe02 at kwsoft.de : > > Zitat von Viktor Dukhovni : > >This is a major milestone in DANE adoption. > > I wonder if the rest of the "United Internet" brands will follow > soon. With gmx.de and web.de this company is responsible for around > 50% of the non-commercial german e-mail traffic. It looks like they > also switched their US based brand mail.com to use DANE > (https://dane.sys4.de/smtp/mail.com). Like other German mail providers, who want their platform to be BSI certified, the are/will be required to DANE enable their SMTP service. They are among the first to adopt the requirements laid out in https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108-09.html. I certainly hope many others will follow. p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From mailinglisten+spamtrap at pothe.de Thu Apr 21 13:05:11 2016 From: mailinglisten+spamtrap at pothe.de (Andreas Pothe) Date: Thu, 21 Apr 2016 13:05:11 +0200 Subject: GMX will start within hours (was: NEWSFLASH: DANE TLSA records published for web.de!) In-Reply-To: <20160414182345.GK26423@mournblade.imrryr.org> References: <20160414182345.GK26423@mournblade.imrryr.org> Message-ID: <31cc4fa2a32b17dcdec6fa8b389106ed.squirrel@www.pothe.de> Hi, it seems that GMX will start publishing DANE TLSA records within the next few hours. DNSSec records were published yesterday. web.de had a delay of less than 48 hours between publishing DNSSec and TLSA, I think it will be the same at GMX (both are part of United Internet). Regards Andreas > The web.de domain has just published DANE TLSA records for its MX > hosts: > > web.de. IN MX 100 mx-ha02.web.de. ; AD=1 > _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1 From ietf-dane at dukhovni.org Thu Apr 21 18:44:30 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 21 Apr 2016 16:44:30 +0000 Subject: GMX will start within hours (was: NEWSFLASH: DANE TLSA records published for web.de!) In-Reply-To: <31cc4fa2a32b17dcdec6fa8b389106ed.squirrel@www.pothe.de> References: <20160414182345.GK26423@mournblade.imrryr.org> <31cc4fa2a32b17dcdec6fa8b389106ed.squirrel@www.pothe.de> Message-ID: <20160421164430.GP26423@mournblade.imrryr.org> On Thu, Apr 21, 2016 at 01:05:11PM +0200, Andreas Pothe wrote: > it seems that GMX will start publishing DANE TLSA records within the next > few hours. DNSSec records were published yesterday. web.de had a delay of > less than 48 hours between publishing DNSSec and TLSA, I think it will be > the same at GMX (both are part of United Internet). Yes: https://www.ietf.org/mail-archive/web/uta/current/msg01511.html So to the small number of domains with incorrect TLSA records, please fix or delete them, otherwise you're just losing email and causing grief to senders. f2h.at hanisauland.at allispdv.com.br bebidaliberada.com.br conjur.com.br giantit.com.br idsys.com.br lojabrum.com.br netlig.com.br prodnsbr.com.br simplesestudio.com.br solucoesglobais.com.br ticketmt.com.br twsolutions.net.br reich-trade.ch 4nettech.com barbarassecret.com kkeane.com lastsip.com leatherfest.com missourivalleyambulance.com nctechcenter.com tntmonitoring.com bels.cz 101host.de 1post.de 3nw.de bieberium.de florian-lehner.de jenserat.de omni128.de dhautefeuille.eu chets.fr dinepont.fr planissimo.fr mailserver.guru nonoserver.info wetterstation-pliening.info peeters.io castleturing.net der-flo.net freeservices.net kuzenkova.net linlab.net steelyard.nl wm.net.nz acsemb.org auxio.org dotbsd-fr.org gazonk.org hlfh.space If anyone knows the administrators of any of the above, please give them a not so gentle nudge. On the DNSSEC front, still waiting on isphuset.no (nudged them again), and a few others to fix either non-response to TLSA queries, or incorrect "authenticated denial of existence": Problem domains | DNS provider 41 isphuset.no 22 axc.nl 15 tse.jus.br 11 active24.cz 10 forpsi.net 8 netcup.net 5 shockmedia.nl Note that for some of the above providers (like forpsi) the observed problems are edge-cases, with most domains working fine. Still, it would be great to have these issues resolved. -- Viktor.