Viktor Dukhovni <[email protected]> wrote: > On Fri, Apr 12, 2013 at 05:11:53PM +0100, Tony Finch wrote: > > > > That would be wrong. The specification is quite clear that the query name > > for the TLSA record is constructed from the target name in the SRV or MX > > record. Whether the target is an alias or not is immaterial. > > It may be contrary to the current draft specification, but I am quite > sure that it is not "wrong", my contention is that either the > specification is wrong (if it is to be understood to say anything at > all about the illegal use of CNAMEs in SRV records) or it is simply > not pertinent since CNAMEs are illegal.
That part of the spec is carefully written so that it works the same way whether you allow CNAMEs or not. My aim was to avoid arguments about specifying behaviour in situations that violate other standards. > If you feel that the specification needs to addresses the CNAME > case, please make it handle key management in a sensible way (i.e. > by obviating the need for SNI, rather than further enshrining the > SNI work-around in new standards). You can't avoid the need for SNI by fiddling around with CNAMEs on the target side of the SRV record, because SNI is used to deal with the mismatch between the SRV query domain and target host name. It is possible for server admins to avoid the need for SNI-based certificate selection if they set things up the right way (and I need to explain that better in the spec) but clients have to support SNI because they don't know enough about the server setup. > > In this situation I think the right thing would be to look for the TLSA in > > the same place as when connecting to a host, as in RFC 6698 section 3. > > That is, just add _25._tcp to the start of the domain. > > > > The reason I think this is right is that in the absence of MX records you > > should get the same behaviour when you specify (per Sendmail and Postfix > > notation) a relay host as "[hostname]" (i.e. without MX lookups) or as > > "hostname" (i.e. with MX lookups). > > I read 6698 section 3 as a warning about the perils of mixing TLSA > RRs and CNAMEs, not an imperative to use the left-side of a CNAME > as the base domain for TLSA. RFC 6698 section 3 doesn't say anything about CNAMEs: it says how to construct a TLSA query name given a host name. The usual behaviour of TLS clients is not to chase CNAME chains to canonicalize hostnames. > Given a DNSSEC-validated chain of CNAMEs from mail.example.com to > some underlying hostname, the base domain used by Postfix for TLSA > will be the target host of the CNAME chain. If the CNAME chain is > NOT DNSSEC validated, Postfix will not look for TLSA RRs. That disagrees with the behaviour described in RFC 6698 section A.2. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
