ANN: Support of DANE and DNSSEC in Office 365 Exchange Online

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 7 20:51:15 CEST 2020 

On Tue, Apr 07, 2020 at 05:15:48PM +0200, Bjørn Mork wrote:

> > Their first step will be to support outbound DANE by end of 2020 and
> > they plan to add inbound support for DANE by end of 2021.
> 
> I believe the very first step will have to be adding EDNS support:
> https://ednscomp.isc.org/ednscomp/298e5889d8
> 
> No DNSSEC without EDNS. And no DANE without DNSSEC.

Well, one can still do *outbound* DANE, without any support for DNSSEC
or even EDNS for one's own domain, it suffices for the domains that are
secured by DANE to have EDNS + DNSSEC + TLSA RRs for all their MX hosts.

That said, I'm pleased to see that the link you posted shows that only
one of the four tested nameservers for protection.outlook.com does not
support EDNS, the other three are solid evidence that they can soon get
there.

That still leaves a different correctness problem that affects all the
servers (there are at least three more nameservers IP addresses
associated with the nameservers in question):

    @104.47.15.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.67.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.68.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.69.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.72.81   _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp
    @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA ? ; NotImp

The correct response is "NXDomain" not "NotImp":

    @104.47.15.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.67.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.68.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.69.17   _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.72.81   _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.118.145 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain
    @104.47.118.177 _25._tcp.nist-gov.mail.protection.outlook.com. IN A ? ; NXDomain

-- 
    Viktor.

More information about the dane-users mailing list