On Tue, 17 Feb 2015, Viktor Dukhovni wrote:
This creates an interesting edge-case for testing whether individual MX hosts (or SRV target hosts) live in a signed zone (that's the purpose of the A/AAAA queries in the SRV and SMTP drafts that gate the applicability of TLSA lookups):; example.com is a signed zone ; example.com. IN MX 0 mail.example.com. mail.example.com. IN CNAME mail.example.net. _25._tcp.mail.example.com. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; example.net is an "insecure" zone: ; mail.example.net. IN A 192.0.2.1 When a query for the "A" records of "mail.example.com." is sent to a validating iterative resolver, the response has a CNAME RR, an "A" RR and AD=0. However the query domain is actually "secure", the reason for "AD=0" is that the CNAME points into an "insecure" zone. To accomodate this edge-case, when the A/AAAA record returns an insecure CNAME, Postfix sends a second query: mail.example.com. IN CNAME ? and if that yields "AD=1", TLSA records are still requested: _25._tcp.mail.example.com. IN TLSA ? and used if returned (with AD=1).
Why does postfix care about the security of the A/CNAME results before asking for TLSA records? Why isn't it asking for TLSA records, and if those are secure, don't care about the AD bit for the A/AAAA/CNAME. As long as whatever insecure A/CNAME/AAAA address has the right certificate you were looking for. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
