Hi Viktor, Thanks for the nudge.
There are certainly ICANN people on this mailing list, including myself. I (while wearing the ICANN org hat) have responsibility for the engineering department that is tasked with the domain portfolio in ICANN and the infrastructure which DNSSEC signs and serves it. We have had this discussion internally to ICANN, in fact we had it last year, and we have every intention to do this. (The SMTP part is another team, but they have also concurred and are willing to also 'walk the walk') Our path to get there is currently dependent on an upgrade of our DNSSEC signing infrastructure (that also entails a move of datacenters). So please hang in there while we reconstruct some secure cages, ship some rather heavy safes, and commission new HSMs.. Please watch this space, and if you like I will post back here when we have both the RRs in and STARTTLS enabled. Cheers Terry On 17/01/2015 3:56 pm, "Viktor Dukhovni" <[email protected]> wrote: >Anyone have appropriate contacts at icann.org to encourage them >to dogfood DANE TLSA RRs for their SMTP servers? > >A quick scan of the DNS and MX hosts shows that icann.org and all >its MX hosts (A/AAAA records) are DNSSEC validated, but none of >the MX hosts offer STARTTLS: > > icann.org. IN MX 10 pechora1.icann.org. ; NOERROR AD=1 > pechora1.icann.org. IN A 192.0.33.71 ; smtperr: STARTTLS not offered > pechora1.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:71 ; smtperr: >STARTTLS not offered > icann.org. IN MX 10 pechora3.icann.org. ; NOERROR AD=1 > pechora3.icann.org. IN A 192.0.33.73 ; smtperr: STARTTLS not offered > pechora3.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:73 ; smtperr: >STARTTLS not offered > icann.org. IN MX 10 pechora4.icann.org. ; NOERROR AD=1 > pechora4.icann.org. IN A 192.0.33.74 ; smtperr: STARTTLS not offered > pechora4.icann.org. IN AAAA 2620:0:2d0:201:0:0:1:74 ; smtperr: >STARTTLS not offered > icann.org. IN MX 10 pechora5.icann.org. ; NOERROR AD=1 > pechora5.icann.org. IN A 192.0.46.71 ; smtperr: STARTTLS not offered > pechora5.icann.org. IN AAAA 2620:0:2830:201:0:0:1:71 ; smtperr: >STARTTLS not offered > icann.org. IN MX 10 pechora7.icann.org. ; NOERROR AD=1 > pechora7.icann.org. IN A 192.0.46.73 ; smtperr: STARTTLS not offered > pechora7.icann.org. IN AAAA 2620:0:2830:201:0:0:1:73 ; smtperr: >STARTTLS not offered > icann.org. IN MX 10 pechora8.icann.org. ; NOERROR AD=1 > pechora8.icann.org. IN A 192.0.46.74 ; smtperr: STARTTLS not offered > pechora8.icann.org. IN AAAA 2620:0:2830:201:0:0:1:74 ; smtperr: >STARTTLS not offered > >Sure looks like Sendmail with STARTTLS not enabled: > > posttls-finger: Connected to pechora1.icann.org[192.0.33.71]:25 > posttls-finger: < 220 pechora1.lax.icann.org ESMTP Sendmail >8.13.8/8.13.8; Sat, 17 Jan 2015 05:48:31 GMT > posttls-finger: > EHLO amnesiac.local > posttls-finger: < 250-pechora1.lax.icann.org Hello amnesiac.local >[192.0.2.1], pleased to meet you > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-SIZE > posttls-finger: < 250-DSN > posttls-finger: < 250-ETRN > posttls-finger: < 250-DELIVERBY > posttls-finger: < 250 HELP > posttls-finger: > QUIT > posttls-finger: < 221 2.0.0 pechora1.lax.icann.org closing connection > >all they have to do is enable STARTTLS and publish TLSA RRs. Either >some suitable DANE-TA(2) trust-anchor with CNAMEs for each host's >TLSA RRset to a shared location where the trust-anchor > > IN TLSA DANE-TA(2) Cert(0) SHA2-256(1) <CA cert digest> > >TLSA RRset is defined, or a different self-signed certificate for >each MX host with per-host > > IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) <Host SPKI digest> > >records. We got there for ietf.org, and I think icann.org should >set a similar example. People reasonably seem to expect them to, >based on frequent tests for icann.org at https://dane.sys4.de/ > >Do what you say and all that... > >-- > Viktor. > >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
