On Thu, Mar 14, 2013 at 11:21:06AM -0800, John Gilmore wrote:
> > Suppose a query a known signed zone:
> >
> > Q: _25._tcp.mail.example.com. IN TLSA ?
> >
> > and I receive a signed CNAME referral:
> >
> > A: _25._tcp.mail.example.com. IN CNAME 3.1.1._tlsa.example.edu.
>
> > Is this a a case of "no TLSA records" or "no usable TLSA records"?
>
> This is a case of "no TLSA records". That's a CNAME record, not a
> TLSA record. If the domain admin wanted to put a TLSA record there,
> they know how to do that.
Yes, but the domain will still be surprised, because their *intent*
is to indirectly leverage a TLSA record stored elsewhere in the DNS.
For example:
_25._tcp.open.nlnetlabs.nl. IN CNAME 3.1.1._dane.nlnetlabs.nl.
3.1.1._dane.nlnetlabs.nl. IN TLSA 3 1 1 0D1F...
This case the CNAME points to a record in the same zone, but real
users will do stranger things.
> There is nothing magic about the _25._tcp subdomain names. Using
> them for a CNAME (or an A record or anything else) does not indicate
> a desire to use TLSA records.
I agree with the logic, (this is the answer I was hoping for and
expecting). So domain owners will need to be cautioned about the
risks of CNAMEs intended for use with TLSA records.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
