Send dhcp-users mailing list submissions to
        dhcp-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
        dhcp-users-requ...@lists.isc.org

You can reach the person managing the list at
        dhcp-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."


Today's Topics:

   1. test message (Thomas Markwalder)
   2. dhcp-users list appears to have been offline (Thomas Markwalder)
   3. Re: test message (/dev/rob0)
   4. requested test message (Friesen, Don CITZ:EX)
   5. Re: test message (Bj?rn Mork)
   6. help with custom option request in dhclient (Tom Pusateri)
   7. Re: test message (/dev/rob0)
   8. Re: test message (Bj?rn Mork)


----------------------------------------------------------------------

Message: 1
Date: Wed, 11 Apr 2018 08:58:56 -0400
From: Thomas Markwalder <tm...@isc.org>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: test message
Message-ID: <f68ea4dd-15ca-bab1-3eee-3dd53f16e...@isc.org>
Content-Type: text/plain; charset=utf-8; format=flowed

User states list isn't working.



------------------------------

Message: 2
Date: Wed, 11 Apr 2018 09:30:22 -0400
From: Thomas Markwalder <tm...@isc.org>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: dhcp-users list appears to have been offline
Message-ID: <a3c64963-1b34-2471-76e5-8781204ae...@isc.org>
Content-Type: text/plain; charset=utf-8; format=flowed

Hello:

It seems we had an interruption in our mailing lists service but they 
are hopefully working again.? If you tried to send something between 
3/27 and 4/2 or so, please try again.? If you experience issues with the 
list, please email me directly or open a DHCP bug ticket for it.?? We 
apologize for any inconvenience this may have caused you.

Regards,

Thomas Markwalder
ISC Software Engineering


------------------------------

Message: 3
Date: Wed, 11 Apr 2018 08:43:21 -0500
From: /dev/rob0 <r...@gmx.co.uk>
To: dhcp-users@lists.isc.org
Subject: Re: test message
Message-ID: <20180411134321.gv5...@harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii

On Wed, Apr 11, 2018 at 08:58:56AM -0400, Thomas Markwalder wrote:
> User states list isn't working.

I think what wasn't working was https://lists.isc.org/ , because the 
SSL certificate was expired.  This has since been fixed.  I posted 
about that to the BIND list last night, and DANE (RFC 6698) did not 
fail,

Apr 11 00:12:28 harrier postfix/smtp[1273]: Verified TLS connection 
established to mx.pao1.isc.org[149.20.64.53]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

But then, AFAIK DANE only cares about the RRSIG on the TLSA record, 
not about a certificate's own expiration, so a DANE connection can 
still be "Verified" while the certificate is expired.

If this doesn't arrive on the list right away it might mean that 
ISC's TLSA records were not updated yet for the new certificates. :)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


------------------------------

Message: 4
Date: Wed, 11 Apr 2018 13:45:46 +0000
From: "Friesen, Don CITZ:EX" <don.frie...@gov.bc.ca>
To: "'dhcp-users@lists.isc.org'" <dhcp-users@lists.isc.org>
Subject: requested test message
Message-ID: <c3bcdc09c78c4f7abbddd99bd8d9d...@e3pmbx06.idir.BCGOV>
Content-Type: text/plain; charset="us-ascii"


  As requested by Thomas.  Don the rat runs a maze.

Don Friesen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.isc.org/pipermail/dhcp-users/attachments/20180411/de43f42a/attachment-0001.html>

------------------------------

Message: 5
Date: Wed, 11 Apr 2018 22:15:12 +0200
From: Bj?rn Mork <bj...@mork.no>
To: /dev/rob0 <r...@gmx.co.uk>
Cc: dhcp-users@lists.isc.org
Subject: Re: test message
Message-ID: <87vacxo5yn....@miraculix.mork.no>
Content-Type: text/plain; charset=utf-8

/dev/rob0 <r...@gmx.co.uk> writes:

> If this doesn't arrive on the list right away it might mean that 
> ISC's TLSA records were not updated yet for the new certificates. :)

Does not look like it to me:

bjorn@canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
        Usage:                          3 (End-Entity [DANE-EE])
        Selector:                       0 (Certificate [Cert])
        Matching Type:                  1 (SHA-256)
        Certificate for Association:    
9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned 
for rrtype AAAA (28).
Got the following IP: 149.20.1.60
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the 
TLSA record (149.20.1.60)


They should probably consider the good advice found here:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

and combine that with Viktors recommendations given here:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html



Bj?rn


------------------------------

Message: 6
Date: Wed, 11 Apr 2018 18:01:54 -0400
From: Tom Pusateri <pusat...@bangj.com>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: help with custom option request in dhclient
Message-ID: <58f70460-fa3a-4e0b-9b59-f18c0bfb5...@bangj.com>
Content-Type: text/plain; charset=utf-8

I have defined an encapsulated option and am requesting it in dhclient. 
However, I?m not seeing the request in a tcpdump trace of the request. I 
included other dhcp options in the request and they are present but not my 
custom one. Any ideas to what I?m doing wrong? hex 0017 and 0027 are the 
dhcp6.fqdn and dhcp6.name-servers options you can see in the tcpdump below but 
the length is 0004 so it?s not trying to add more options I don?t think.

dhclient.conf
????????????
option space foo;
option foo.first code 226 = ip6-address;
option foo.second code 227 = unsigned integer 16;
option foo.third code 228 = domain-list;
option foo.fourth code 229 = text;
option foo-encapsulation code 225 = encapsulate foo;

request dhcp6.fqdn, dhcp6.name-servers, foo.first, foo.second, foo.third;
??????????????????

I?ve also tried:
request dhcp6.fqdn, dhcp6.name-servers, foo-encapsulation with the same result.


# /usr/local/sbin/dhclient --version
isc-dhclient-4.4.1
# /usr/local/sbin/dhclient -v -d -1 -S -p 1067 -cf ./dhclient.conf -lf 
./dhclient.leases -pf ./dhclient.pid en0

% tcpdump -i en0 -vvvv udp -s 1500 port 1067
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes


15:50:42.915158 IP6 (flowlabel 0x92cce, hlim 1, next-header UDP (17) payload 
length: 40) butte-480.local.instl_boots > ff02::1:2.dhcpv6-server: [udp sum ok] 
dhcp6 inf-req (xid=7b23c6 (client-ID hwaddr type 1 784f434f30b5) 
(option-request DNS-server Client-FQDN) (elapsed-time 625))
        0x0000:  6009 2cce 0028 1101 fe80 0000 0000 0000
        0x0010:  1471 b2e9 a8fa 9e1b ff02 0000 0000 0000
        0x0020:  0000 0000 0001 0002 042b 0223 0028 cef1
        0x0030:  0b7b 23c6 0001 000a 0003 0001 784f 434f
        0x0040:  30b5 0006 0004 0017 0027 0008 0002 0271



------------------------------

Message: 7
Date: Wed, 11 Apr 2018 18:20:25 -0500
From: /dev/rob0 <r...@gmx.co.uk>
To: dhcp-users@lists.isc.org
Subject: Re: test message
Message-ID: <20180411232025.gz5...@harrier.slackbuilds.org>
Content-Type: text/plain; charset=iso-8859-1

On Wed, Apr 11, 2018 at 10:15:12PM +0200, Bj?rn Mork wrote:
> /dev/rob0 <r...@gmx.co.uk> writes:
> 
> > If this doesn't arrive on the list right away it might mean that 

(It did arrive and was distributed right away.)

> > ISC's TLSA records were not updated yet for the new certificates. :)
> 
> Does not look like it to me:
> 
> bjorn@canardo:~$ tlsa -dv lists.isc.org

That's the wrong hostname for mail.  Check the MX for lists.isc.org.

$ dig lists.isc.org. mx +noall +answer

; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
;; global options: +cmd
lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.

$ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall 
+answer ; done

; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 
71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 
5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916

> Received the following record for name _443._tcp.lists.isc.org.:
>         Usage:                          3 (End-Entity [DANE-EE])
>         Selector:                       0 (Certificate [Cert])
>         Matching Type:                  1 (SHA-256)
>         Certificate for Association:    
> 9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
> This record is valid (well-formed).
> Attempting to verify the record with the TLS service...
> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned 
> for rrtype AAAA (28).
> Got the following IP: 149.20.1.60
> Did set servername lists.isc.org
> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match 
> the TLSA record (149.20.1.60)

We're drifting off topic here, but I thought DANE hadn't really made 
it to HTTPS yet?  This appears wrong, but does it matter?  DANE is in 
use for SMTP.

> They should probably consider the good advice found here:
> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
> 
> and combine that with Viktors recommendations given here:
> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

Of course.  In addition I'd suggest that LE certificates, while nice 
for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes, 
because it will help with MUAs, but for mail exchange, I use my own 
private CA.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


------------------------------

Message: 8
Date: Thu, 12 Apr 2018 10:59:04 +0200
From: Bj?rn Mork <bj...@mork.no>
To: /dev/rob0 <r...@gmx.co.uk>
Cc: dhcp-users@lists.isc.org
Subject: Re: test message
Message-ID: <873700n6lj....@miraculix.mork.no>
Content-Type: text/plain; charset=utf-8

/dev/rob0 <r...@gmx.co.uk> writes:

> That's the wrong hostname for mail.  Check the MX for lists.isc.org.
>
> $ dig lists.isc.org. mx +noall +answer
>
> ; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
> ;; global options: +cmd
> lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
> lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.
>
> $ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall 
> +answer ; done
>
> ; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 
> 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0
>
> ; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 
> 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916


Yes, mx.pao1.isc.org is fine as shown by https://dane.sys4.de/smtp/lists.isc.org

mx.ams1.isc.org does not answer on port 25 so it's hard to tell if the
certificate is OK. 


>> Received the following record for name _443._tcp.lists.isc.org.:
>>         Usage:                          3 (End-Entity [DANE-EE])
>>         Selector:                       0 (Certificate [Cert])
>>         Matching Type:                  1 (SHA-256)
>>         Certificate for Association:    
>> 9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
>> This record is valid (well-formed).
>> Attempting to verify the record with the TLS service...
>> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data 
>> returned for rrtype AAAA (28).
>> Got the following IP: 149.20.1.60
>> Did set servername lists.isc.org
>> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match 
>> the TLSA record (149.20.1.60)
>
> We're drifting off topic here, but I thought DANE hadn't really made 
> it to HTTPS yet?  This appears wrong, but does it matter?

They have chosen to publish a TLSA record.  Of course it matters.  If it
didn't, then they surely wouldn't have gone through the extra hassle of
maintaining yet another TLSA record.  Would they?

I guess there is still too much money in the https business for full
DANE support in browsers.  You can use the excellent plugin from
https://www.dnssec-validator.cz/ to get a visual hint .  But it doesn't
replace a DANE validating browser.  The plugin cannot override the
certificate expiration checks built into the browsers, and it does not
ask any questions even if the TLSA validation fails.

> DANE is in use for SMTP.

Maybe. I'm not convinced there are too many strictly validating MTAs out
there...

>> They should probably consider the good advice found here:
>> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>> 
>> and combine that with Viktors recommendations given here:
>> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
>
> Of course.  In addition I'd suggest that LE certificates, while nice 
> for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes, 
> because it will help with MUAs, but for mail exchange, I use my own 
> private CA.

I would have agreed a couple of years ago. Of course you *can* use a
private CA for smtp without any issues, and there might be advantages
like being able to relay based on the CA. But LE has made it simpler to
use their CA than maintaining your own.  There is really no reason why
you shouldn't take advantage of that for smtp too.


Bj?rn


------------------------------

Subject: Digest Footer

_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users


------------------------------

End of dhcp-users Digest, Vol 114, Issue 1
******************************************

Reply via email to