DANE SMTP behavior with inconsistent initial CNAME response

Jan-Pieter Cornet johnpc at xs4all.net
Mon Dec 10 15:41:17 CET 2018

On 10-12-18 14:27, Viktor Dukhovni wrote:
>> Um, putting an alias (record with CNAME) in an MX record is still frowned
>> upon by the RFCs (specifically, 2181 and 5321).
> Yes, but they are used in practice, and I don't know of any MTAs
> that refuse to follow the CNAMEs, so one has to live with their de
> facto use, despite the fact that they're undefined in RFC 5321 and
> legacy 2821, 821.

I really meant 2181 (Clarification to DNS specification), which is still current, but...

> The specification is carefully considered, and deals with the world
> as it is, not how I might like it to be.

Fair enough, I realize MX-pointing-to-CNAME exists and we have to live with it.

It would be a good idea for DANE SMTP verifiers to verify both ends of the CNAME (chain) for any TLSA records, and whether they match the real record. Just to avoid any pitfalls as I described.

> Yes, when CNAMEs are using on the receiving side, the setup can be
> fragile when configured sloppily, some receiver configurations are
> less secure than others.  This is *opportunistic* DANE TLS.

It still breaks mail delivery if you get it wrong though. Opportunistic DANE also means blocking the connection if there are TLSA records but they don't match.

> [on only checking original MX host TLSA records]
> Often, when CNAMEs are used, not present, so domain remains insecure.

That's indeed the biggest disadvantage of my proposal.

> The CNAME query is needed, only and exactly when the A records are
> found on the far side of a CNAME chain.  This is the case even for
> your proposal, because that's what it takes to determine whether
> the MX host lies in a secure zone, and skip TLSA records if not.

I'm not suggesting to skip the CNAME query. I'm suggesting to not treat errors from that query as blocking for delivery, if there is no DNSSEC signed domain involved. Since the CNAME query is a new addition to the mail delivery landscape, you risk running into unexpected results from nameservers.

... for which you give an excellent example yourself :)

> If one attempts TLSA lookups in unsigned zones one can't deliver
> any mail to any of the hundreds of thousands of signed domains
> hosted by Microsoft at outlook.com:
>      nist.gov. IN MX 0 nist-gov.mail.protection.outlook.com. ; NoError AD=1
>      nist-gov.mail.protection.outlook.com. IN A ; NoError AD=0
>      _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; ServFail AD=0

As *.mail.protection.outlook.com is unsigned, there is no reason to lookup TLSA records, so the ServFail for the TLSA lookup shouldn't harm anyone. I didn't suggest any changes to that part of the protocol. (In fact, I don't think any DANE implementation even does the TLSA lookup on a non-signed result from the A query of the mx host?)\

Oh, PS:
nist-gov.mail.protection.outlook.com. IN CNAME ? ; ServFail AD=0
(The nameserver actually returns NOTIMP, which is converted to ServFail by the local resolver).
Now in this case the CNAME query isn't needed since there is no CNAME record involved, but still, it shows that nameservers can fail the CNAME query.

Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20181210/e47594b5/attachment.asc>

More information about the dane-users mailing list