[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-07 06:34:02

--On Monday, January 7, 2019 11:34 +0000 Paul Smith
<paul(_at_)pscs(_dot_)co(_dot_)uk> wrote:

A simple TXT record saying "This domain's MTAs support
STARTTLS (and, possibly, optionally, this is the certificate
fingerprint)" would seem useful and not need anything else,
and would protect against STARTTLS downgrade for any sender
willing to support it.

Obviously it would be vulnerable to DNS pollution, but so
would the original proposal.

Please see at least one of Burt Hubert's "DNS Camel" pieces
and/or RFC 8324, and think about not only pollution/cache
poisoning but about the observation that DNS zone managers and
email administrators are often in separate departments with less
effective communication than one might like, before going down
that path.  

<rant> Given some of my other concerns, I also had a quick
thought about some people changing "support" in the above text
to "supports" while others didn't and others writing the whole
string in some language very different from English (the DNS
certainly would not prevent a string in Unicode encoded in UTF-8
from appearing in the DATA of a TXT RR).  Consider what would be
required for an SMTP-Sender to retrieve all of the TXT RRs
associated with a given FQDN and then parse each of them,
possibly through a multilingual language-understanding module,
to see if that was the intended message.   A variety of
subsequent abuses^H^H^H^H^H^H features notwithstanding, there
are rather good reasons why, when the DNS was first designed and
specified, the assumption was that information in TXT records
was intended strictly as information for human consumption, not
for processing by programs.  </rant>



ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>