<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The wonderful <a href="http://internet.nl" class="">Internet.nl</a> website and e-mail security and standards compliance checker, which was the first thing I thought of when I saw this message from Viktor, doesn’t currently check for TLSA records for MX hosts (although it does check for DNSSEC on the zones of MX hostnames, e.g. <a href="https://internet.nl/mail/dns-example.info/results#" class="">https://internet.nl/mail/dns-example.info/results#</a>). It would be wonderful if that functionality could be added in a future update to their site. Does <a href="https://internet.nl/partners/#NLnetLabs" class="">NLnet Labs</a>, which develops the software for this great checking tool, have a public repository for it? If so, I would be happy to submit a pull-request or patch to add that functionality.<div class=""><br class=""></div><div class="">@alex</div><div class=""><br class=""></div><div class="">p.s. could someone at <a href="http://Internet.nl" class="">Internet.nl</a> please add Verisign Public DNS (<a href="https://www.verisign.com/en_US/security-services/public-dns/index.xhtml" class="">https://www.verisign.com/en_US/security-services/public-dns/index.xhtml</a>) to the list of DNSSEC-validating public DNS services at <a href="https://internet.nl/faqs/dnssec/?" class="">https://internet.nl/faqs/dnssec/?</a> They are the first major public DNS service after Google Public DNS to provide this feature, present from day one of their service (even though they don’t mention it), and they should be listed.</div><div class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 2017-02-10, at 15:25, Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" class="">ietf-dane@dukhovni.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><br class="">Some domains with DANE-TLSA records for their primary MX hosts<br class="">neglect to publish DANE TLSA for secondary and/or "black-hole"<br class="">(spam magnet) MX hosts.<br class=""><br class="">Consider nic.cz, until recently their "bh.nic.cz" host had no TLSA<br class="">records (and SMTP connections to that host would time out). This<br class="">gives an active on-path MiTM attacker opportunity to block connections<br class="">to the working MX hosts, and accept unauthenticated connections to<br class="">the black-hole MX host. After they were notified of the problem,<br class="">they made changes, and now we see TLSA records associated with<br class="">all the MX hosts, including "bh.nic.cz":<br class=""><br class=""> nic.cz. IN MX 10 mail.nic.cz. ; NOERROR AD=1<br class=""> nic.cz. IN MX 20 mx.nic.cz. ; NOERROR AD=1<br class=""> nic.cz. IN MX 30 bh.nic.cz. ; NOERROR AD=1<br class=""> ;<br class=""> mail.nic.cz. IN A 217.31.204.67 ; NOERROR AD=1<br class=""> mail.nic.cz. IN AAAA 2001:1488:800:400::400 ; NOERROR AD=1<br class=""> _25._tcp.mail.nic.cz. IN TLSA 3 1 1 4f9736249ab586f37fc110856f6a3358adadbf99db03628866466194f5bb2e09 ; NOERROR AD=1<br class=""> ;<br class=""> mx.nic.cz. IN A 217.31.58.56 ; NOERROR AD=1<br class=""> mx.nic.cz. IN AAAA 2001:1ab0:7e1e:c574:7a2b:cbff:fe33:7019 ; NOERROR AD=1<br class=""> _25._tcp.mx.nic.cz. IN TLSA 3 1 1 aa7b93daab084536530bd3256e9ceff4557cb43512640f7ab64487dc9ca14fab ; NOERROR AD=1<br class=""> ;<br class=""> bh.nic.cz. IN A 217.31.204.252 ; NOERROR AD=1<br class=""> bh.nic.cz. IN AAAA ? ; NODATA AD=1<br class=""> _25._tcp.bh.nic.cz. IN TLSA 3 1 1 4f9736249ab586f37fc110856f6a3358adadbf99db03628866466194f5bb2e09 ; NOERROR AD=1<br class=""><br class="">I've not yet nagged "<a href="http://iis.se" class="">iis.se</a>" or "wia.cz", and there we see that<br class="">only one of the two MX hosts has a TLSA record:<br class=""><br class=""> <a href="http://iis.se" class="">iis.se</a>. IN MX 5 <a href="http://mx1.iis.se" class="">mx1.iis.se</a>. ; NOERROR AD=1<br class=""> <a href="http://iis.se" class="">iis.se</a>. IN MX 5 <a href="http://mx2.iis.se" class="">mx2.iis.se</a>. ; NOERROR AD=1<br class=""> ;<br class=""> <a href="http://mx1.iis.se" class="">mx1.iis.se</a>. IN A 91.226.36.35 ; NOERROR AD=1<br class=""> <a href="http://mx1.iis.se" class="">mx1.iis.se</a>. IN AAAA 2a00:801:f0:106::35 ; NOERROR AD=1<br class=""> _25._<a href="http://tcp.mx1.iis.se" class="">tcp.mx1.iis.se</a>. IN TLSA 3 1 1 0894a6827f435ccb7435552290ff13e704776e4568235bbc899f515de3314ce3 ; NOERROR AD=1<br class=""> ;<br class=""> <a href="http://mx2.iis.se" class="">mx2.iis.se</a>. IN A 91.226.37.39 ; NOERROR AD=1<br class=""> <a href="http://mx2.iis.se" class="">mx2.iis.se</a>. IN AAAA 2001:67c:124c:2007::39 ; NOERROR AD=1<br class=""> _25._<a href="http://tcp.mx2.iis.se" class="">tcp.mx2.iis.se</a>. IN TLSA ? ; NXDOMAIN AD=1<br class=""><br class=""> wia.cz. IN MX 10 antispam.wia.cz. ; NOERROR AD=1<br class=""> wia.cz. IN MX 20 bntispam.wia.cz. ; NOERROR AD=1<br class=""> ;<br class=""> antispam.wia.cz. IN A 80.250.3.18 ; NOERROR AD=1<br class=""> antispam.wia.cz. IN AAAA ? ; NODATA AD=1<br class=""> _25._tcp.antispam.wia.cz. IN TLSA 3 1 1 3b67e777e8a11d373fae958c3ea5a200bd791813c0e6e9be34e2965bcfcc071e ; NOERROR AD=1<br class=""> ;<br class=""> bntispam.wia.cz. IN A 31.7.247.78 ; NOERROR AD=1<br class=""> bntispam.wia.cz. IN AAAA ? ; NODATA AD=1<br class=""> _25._tcp.bntispam.wia.cz. IN TLSA ? ; NXDOMAIN AD=1<br class=""><br class="">While during initial deployment it is natural to proceed incrementally<br class="">and add TLSA records to one MX host at a time, and test thoroughly<br class="">before moving on to the rest, the end-state should be to publish<br class="">TLSA records for all MX hosts, not a proper subset.<br class=""><br class="">-- <br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>Viktor.<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>