In message
<CABa8R6v-oPOfXuYp+MkZ_11JXtYRcsjhfVjFpa57FD9mst0xhA(_at_)mail(_dot_)gmail(_dot_)com>,
Brandon Long writes:
--===============2997689142148642025==
Content-Type: multipart/alternative; boundary=089e013a1d86cfb6ee04fbf901a6
--089e013a1d86cfb6ee04fbf901a6
Content-Type: text/plain; charset=UTF-8
On Mon, Jun 16, 2014 at 12:07 PM, John Levine <johnl(_at_)taugh(_dot_)com>
wrote:
PS:
The next problem with DANE is that it requires users to have an updated
enough DNS server/client that provides tools for the new RR-Type, as
opposed to the "overload the TXT record" mechanism that has been popular
in
the email world recently. I know our code hasn't added support yet,
though
it looks like its in recent BIND implementations. ...
BIND and NSD have supported TLSA since 2012, and any reasonably recent DNS
cache should handle TLSA since it doesn't have any special semantics. The
problem is more likely to be the web crudware that people use to provision
their DNS zones.
Right, and my desktop at work as well as most of my personal servers are
running the last Ubuntu LTS release (precise) from Spring 2012 and don't
have it. Some things upgrade slowly. I don't have any knowledge one way
or the other on how much of a burden it would be for the open source MTAs
and their admins, etc.
But they do support unknown record format. You can publish TLSA
records with those servers. It is trivial to turn a TLS record
into a unknown record.
Below is the same record in both forms. Just turn the first 3
fields into hex octets and add a octet count.
TLSA 3 0 1 88B54DA87A0E5D1E4EB4CD9B87D24E79A57EAD51C34E350FD071582070BEA3B3
TYPE52 \# 35
03000188b54da87a0e5d1e4eb4cd9b87d24e79a57ead51c34e350fd071582070bea3b3
Or you get and compile BIND 9.10.x and use "named-rrchecker -u"
from it to print the record out in unknown format. You don't even
need to install it to do this.
% named-rrchecker -u
IN TLSA 3 0 1 88B54DA87A0E5D1E4EB4CD9B87D24E79A57EAD51C34E350FD0715820 70BEA3B3
CLASS1 TYPE52 \# 35
03000188b54da87a0e5d1e4eb4cd9b87d24e79a57ead51c34e350fd071582070bea3b3
%
Or you upgrade the nameserver component. It's not like Ubuntu LTS
isn't made up of packages which you can upgrade individually.
If you have outsourced your DNS and they do not support TLSA or
unknown format, go somewhere else or bring it back in house.
Mark
Probably less work than getting DNSSEC up, I guess.
Brandon
--089e013a1d86cfb6ee04fbf901a6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Jun 16, 2014 at 12:07 PM, John Levine <span dir=3D"ltr"><=
;<a href=3D"mailto:johnl(_at_)taugh(_dot_)com"
target=3D"_blank">johnl(_at_)taugh(_dot_)com</a>&g=
t;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">PS:<br>
<div class=3D""><br>
>The next problem with DANE is that it requires users to have an updated=
<br>
>enough DNS server/client that provides tools for the new RR-Type, as<br=
>opposed to the "overload the TXT record" mechanism that has b=
een popular in<br>
>the email world recently. =C2=A0I know our code hasn't added suppor=
t yet, though<br>
</div>>it looks like its in recent BIND implementations. ...<br>
<br>
BIND and NSD have supported TLSA since 2012, and any reasonably recent DNS<=
br>
cache should handle TLSA since it doesn't have any special semantics. =
=C2=A0The<br>
problem is more likely to be the web crudware that people use to provision<=
br>
their DNS zones.<br></blockquote><div><br></div><div>Right, and my desktop =
at work as well as most of my personal servers are running the last Ubuntu =
LTS release (precise) from Spring 2012 and don't have it. =C2=A0Some th=
ings upgrade slowly. =C2=A0I don't have any knowledge one way or the ot=
her on how much of a burden it would be for the open source MTAs and their =
admins, etc.</div>
<div><br></div><div>Probably less work than getting DNSSEC up, I guess.</di=
v><div><br></div><div>Brandon</div></div><br></div></div>
--089e013a1d86cfb6ee04fbf901a6--
--===============2997689142148642025==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
--===============2997689142148642025==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp